PayPal remains the top brand impersonated in phishing attacks for the second quarter in a row, with Facebook taking the #2 spot and Microsoft coming in third, according to Vade Secure.
Leveraging data from more than 600 million protected mailboxes worldwide, Vade’s machine learning algorithms identify the brands being impersonated as part of its real-time analysis of the URL and page content.
PayPal reigns supreme, again
For the second straight quarter, PayPal was the most impersonated brand in phishing attacks. While PayPal phishing was down 31% compared to Q3, the volume was up 23% year over year. With a daily average of 124 unique URLs, PayPal phishing is a prevalent threat targeting both consumers and SMB employees.
Illegitimate notes and file sharing keep Microsoft phishing in the spotlight
Microsoft remained the primary corporate target in Q4, coming in at #3 on this quarter’s Phishers’ Favorites list. With 200 million active business users and counting, Office 365 continues to be the primary driver for Microsoft phishing.
Cybercriminals seek O365 credentials in order to access sensitive corporate information and use compromised accounts to launch targeted spear phishing attacks on other employees or partners.
In Q4, large volumes of file-sharing phishing were still seen, including fake OneDrive/SharePoint notifications leading directly to a phishing page and legitimate notifications leading to files containing phishing URLs. There’s also the emergence of note phishing impersonating services like OneNote and Evernote.
While the campaigns are similar, the key difference is that OneNote or Evernote notes are not files, but rather HTML pages. Thus, the same technology that is used by email security vendors to scan the contents of files doesn’t work with HTML pages, which means these emails have a higher likelihood of reaching users’ inboxes.
Cybercriminals target your money, but impersonate smaller banks
For the second quarter, financial services companies accounted for the most brands and most URLs in the Phishers’ Favorites report. A difference in Q4, however, is that there was a shift towards phishing customers of smaller banks.
One reason for this could be that while large banks have invested in building out security operations centers, incident response and takedown procedures to limit phishing campaigns impersonating their brand, smaller banks may not have the same level of controls in place.
Additional key findings
- Netflix (#4), WhatsApp (#5), Bank of America (#6), CIBC (#7), Desjardins (#8), Apple (#9) and Amazon (#10) rounded out the top 10 most impersonated brands.
- Despite having only three brands in the top 25, social media increased its share of phishing URLs from 13.1% in Q3 to 24.1% in Q4 2019. This growth was driven by WhatsApp, which shot up 63 spots to #5, and Instagram, which rose 16 spots to #13.
- Netflix phishing had been a model of consistency, growing for six consecutive quarters, but that trend reversed abruptly in Q4, with a 50.2% drop in unique phishing URLs. In fact, the 6,758 Netflix phishing URLs detected in Q4 was the lowest total since Q2 2018.
- For the first time in Phishers’ Favorites history, Friday was the top day overall for phishing emails, followed closely by Thursday. Tuesday, Wednesday and Monday took the middle three spots. As usual, Saturday and Sunday were at the bottom.
“Threats are evolving rapidly and they are becoming more and more credible to end users. This underscores the need for a comprehensive approach to email security combining threat detection, post-delivery remediation and on-the-fly user training as the last line of defense.”
Most impersonated brands in phishing attacks
The complete list of the 25 most impersonated brands in phishing attacks compiled by Vade Secure is available below: