H1 2023 Phishing and Malware Report: Trends and Highlights

In H1 2023, Vade detected a significant number of phishing and malware threats. Phishing volumes increased by more than 54% during this period compared to H2 2022 (742.9 million vs. 482.2 million). Meanwhile, H1 2023 malware volumes saw a slight increase (112.3 million) compared to the previous period (111.4 million).

Let’s dive into the details and trends behind these numbers.

Phishing and malware trends: January and June were the most active months for phishers

As reported in last quarter’s phishing and malware report, January accounted for the highest volume of phishing emails in Q1 with 488.5 million, which also surpassed any month in Q2. June was the second most active month for phishing, with more email threats observed during this period than in April or May combined (91 million vs. 89 million). Meanwhile, February was the least active month for phishers (26.6 million emails). Overall, phishing volumes in Q1 surpassed those in Q2 (562.5 million vs. 180.4 million).

Capture d’écran 2023-07-12 à 17.44.30

Phishing emails H1 2023


Phishing and malware trends: malware volumes remain persistently high

April saw the highest volume of malware threats (26.2 million), followed by March (20.3 million) and June (20 million). For 2023, malware volumes in Q2 surpassed those in Q1 (60 million vs. 52.3 million).

Phishing and malware - malware emails H1 2023Malware emails H1 2023

[Related Content]: Q1 2023 Phishing and Malware Report: Phishing Increases 102% QoQ


Facebook and Microsoft remain the top impersonated brands

Each quarter, Vade’s filter engine detects and analyzes millions of phishing emails and hundreds of thousands of phishing webpages. By analyzing unique branded phishing websites, Vade assembles a list of the top brands impersonated by hackers.

While trends in phishing frequently evolve, Facebook and Microsoft’s collective dominance as the most spoofed brands continues. Since 2020, both have finished every quarter in first or second place, a trend that persisted in H1 2023.

Facebook took first place in H1, accounting for 18% of all phishing URLs and topping Microsoft (15%). Facebook also ended Q1 as the most impersonated brand, while Microsoft overtook the social media giant in Q2 after experiencing a 22% QoQ increase in spoofing attempts.

In H1, Facebook and Microsoft together accounted for more unique phishing URLs than the next top five brands combined, which included Crédit Agricole, SoftBank, Orange, PayPal, and Apple.

Phishing and malware – Top 10 most impersonated brands H1 2023

Top 10 most impersonated brands H1 2023


New call-to-action


Phishing URLs spoofing SoftBank, First Citizens Bank, and Crédit Agricole increase significantly in Q2

For Japan-based SoftBank, 2023 has proven to be an exceptional year in terms of spoofing attempts. The financial services brand ended Q2 as the third most impersonated brand in phishing attacks, accounting for 4591 unique URLs, trailing only Microsoft and Facebook after experiencing a nearly 1500% QoQ increase. Overall, SoftBank finished H1 as the fourth most impersonated brand.

Capture d’écran 2023-07-12 à 17.45.15

SoftBank phishing page detected by Vade

Yet SoftBank's active 2023 reflects a global trend in the financial services industry. US-based First Citizens Bank, which accounted for 12 unique phishing URLs in Q1, saw this total increase by more than 4000% to reach 502 for Q2, the 16th highest total among all brands for the quarter.

Capture d’écran 2023-07-12 à 12.55.03

First Citizens Bank phishing page detected by Vade


Meanwhile, France-based Crédit Agricole jumped four places to become the third most impersonated brand in H1, following QoQ increases of 170% and 61% for Q1 and Q2, respectively.

Capture d’écran 2023-07-12 à 12.55.13

Crédit Agricole phishing page detected by Vade


Financial services continues its dominance as the most impersonated industry

The financial services industry remains the most impersonated industry. In Q1 and Q2 2023, more financial services brands were among the top 25 than in any quarter in 2022, 2021, or 2020. Q1 accounted for a record 12 brands, while Q2 and H1 each resulted in 11. Additionally, the sector accounted for more than 33% of all phishing URLs in H1, followed by social media (22%) and cloud (21%).

Capture d’écran 2023-07-12 à 12.55.36

Phishing by industry H1 2023

Only three social media companies broke into the list of top 25 most impersonated brands, with Facebook accounting for the largest share of the sector’s phishing URLs (85%), followed by WhatsApp (9%) and Instagram (5%). Like social media, only three cloud brands made the list of top 25. Microsoft led the sector (accounting for 53% of its phishing URLs), trailed by Google (12%) and Netflix (7%).


Phishing attacks continue to target Microsoft and Google

As previously reported by Vade, Microsoft and Google are top targets for hackers due in part to the popularity of their productivity suites, Microsoft 365 and Google Workspace. Microsoft and Google were among the list of top 10 spoofed brands in H1, after ending 2022 in second and third place, respectively.

In June, Vade reported its threat analysis of “Greatness,” a sophisticated phishing-as-a-service (PhaaS) offering targeting Microsoft 365 users. The threat facilitates a man-in-the-middle (MitM) attack, acting as a proxy for Microsoft’s authentication system and stealing user credentials or cookies.

This threat follows two other PhaaS offerings detected by Vade earlier this year, each exploiting Google services, including YouTube and Google Translate. In June, Vade also detected another phishing attack impersonating Microsoft 365’s authentication system.

Capture d’écran 2023-07-12 à 12.55.42

Microsoft phishing page detected by Vade in June 2023


As the popularity of productivity suites continues to increase, so does the supply of attacks spoofing the technology. This presents important implications for businesses, including the need to secure human collaboration with a new approach to productivity suite security.


Email is the top vector for phishing and malware threats

Email remains the most popular channel for distributing phishing and malware threats. That’s not likely to change anytime soon, as the communication method provides hackers with a direct and convenient channel to exploit the greatest weakness in your attack surface (users). And with the rise of productivity tools, email is becoming more important and vulnerable than before.

To stay protected, your organization must look to fortify your email security. That calls for augmenting Microsoft’s native security with an integrated, third-party solution like Vade for M365. The solution combines advanced capabilities for incident response, threat detection and remediation, threat intelligence and investigation, and automated phishing awareness training.


New call-to-action