Phishers’ Favorites: Microsoft #1, COVID-19 Colored Everything
Natalie Petitto
—August 27, 2020
—5 min read

Today, we published our Phishers’ Favorites report for Q2 2020. Now in its ninth edition, Phishers’ Favorites ranks the 25 most impersonated brands in phishing attacks, based on the number of unique phishing URLs detected by Vade within the quarter. As we protect 1 billion mailboxes in 76 countries, we have a unique view on global email traffic and the phishing campaigns targeting both consumer and corporate email accounts.

Microsoft is #1, impersonated at twice the rate of #2 Facebook
Microsoft retains the #1 spot, dropping to #2 only twice in the last nine quarters. It’s important to note that the 9,410 unique phishing URLs detected by Vade in Q2 represent not the total number of Microsoft phishing emails detected but the unique phishing URLs contained in those emails. In many cases, a single phishing URL is detected hundreds of times across different phishing campaigns.

Microsoft’s reign over the last seven quarters correlates with its growing Office 365—now Microsoft 365—user base. With 258 million users, Microsoft 365 stores untold amounts of critical business and employee data in SharePoint, OneDrive, Teams, and numerous other applications.
Not only this, but Microsoft is one of the most well-known companies in the world. With that notoriety comes trust: the Microsoft of Microsoft Office 365 or 365 logo is so pervasive, especially in the business world, that phishers are spoofing other brands and using Microsoft as the lure that signals legitimacy.
Below is an example of the trust factor at play. While the phishing email and webpage below take advantage of the real Dropbox service, the subsequent phishing document and link impersonate Microsoft. It’s the final step in the phishing attack and the image the hacker is relying on to lure the victim into clicking.



Below is another example of a phisher usurping Microsoft later in the sequence. The email appears to be a notification from the company’s Xerox scanner, alerting the victim that a document is ready for viewing. While the email itself is unsophisticated, the phishing page is quite the opposite.
As you can see below, there is no phishing link in the email—the phishing page is an attachment, which could allow the email to bypass a solution scanning for phishing links. A Microsoft 365 form prepopulated with the corporate email domain appears over a blurred image of a scanned image (the subject of the email). The real Microsoft form, combined with an enticing image, creates a powerful illusion and incentive to provide the password.


#2 Facebook is one of three social media companies in the top 25
Facebook has been a phishers’ favorite for several quarters, coming in at #2 in the last two quarters. In Q2 2020, Vade detected 4,373 unique Facebook phishing URLs, a 17.1 percent increase from Q1. Like Microsoft, Facebook’s global footprint is tremendous. Its reputation for security? Less so. Facebook’s troubles provide a continual stream of fodder for the press, and each misstep is breaking—albeit unsurprising—news.
The timing of phishing campaigns is often connected to the news cycle or a current event. We saw that with the mass wave of CODIV-19 related phishing attacks that began in early March 2020 and which continue today. For Facebook and other notable brands, spikes in brand impersonation sometimes correspond with high-profile feature releases, business partnerships, and news of security weaknesses. Facebook’s troubles over the last few years, especially with respect to its failure to protect customer data, have been constant, and phishing emails impersonating Facebook have followed suit.
Below is one of the most common examples of Facebook phishing, and naturally it plays of the brand’s ongoing quest to communicate with users Facebook’s commitment to privacy and security.

Facebook isn’t the only social media company rising on the list. WhatsApp, which barely made the list in quarters 1 and 2 2019, saw a significant spike in Q4, with more than 5,000 unique phishing URLs detected. WhatsApp phishing URLs dropped significantly in Q1 2020—83 percent—then jumped 185 percent in Q2 2020, moving to #5 on the list. Why?
COVID-19 and the resulting worldwide lockdowns created a global human disconnect. We turned to technology to solve the problem. There were a series of financial windfalls for a number of technology companies that fulfilled the promise of providing the personal connection we lost a result of COVID-19, especially Zoom.
In the wake of lockdowns, WhatsApp usage grew 40 percent globally—76 percent in hard-hit Spain. Like Facebook, WhatsApp is a popular haven for groups, which users flocked to during lockdowns to communicate with friends and relatives.

With 2 billion users, second only to Facebook, WhatsApp has also been making inroads in the business world. Technology companies in particular are flocking to WhatsApp to take advantage of its Business API, which allows businesses to correspond with customers directly through WhatsApp. An April report estimated that by 2024, seven million businesses will be using WhatsApp for business, an increase of 5,400 percent.
Although LinkedIn fell out of the top ten in Q2, LinkedIn phishing URLs doubled from Q1. The social engineering opportunities on LinkedIn are endless, and with COVID-19 putting millions out of work around the world, a prime opportunity presented itself.
LinkedIn sessions increased 26 percent in Q2, and LinkedIn users watched four million hours of learning content in March 2020, a 50 percent month-over-month increase. No doubt each of these increases was precipitated by the newly out of work, looking to either network for prospects or boost their resumes with new skills—likely both.
The below LinkedIn phishing email would be of interest to anyone looking for work. A common phishing scam, the email informs the user that people are “looking” at their profile. Who? Log in to LinkedIn (give me your password) to find out:

Financial services phishing continues to soar
Financial services continues its streak of being the most impersonated industry in phishing attacks. With eight brands in the top 25, financial services represents four brands in the top 10. Personal and business finances were upended by COVID-19, shuttering businesses and wrecking individual and family financial stability. If ever there was a time to bait people with an alarming email from the bank, this was it.

Overall, financial services represented 33 percent of all phishing URLs in Q2. Chase replaced Bank of America as the most impersonated Wall Street bank, while Wells Fargo moved up two spots to #11. La Banque Postale, a subsidiary of the French postal service, moved up 12 spots to #12 with 3,199 phishing URLs.

La Banque Postale impersonation dropped significantly in quarters 3 and 4 2019 and then spiked in Q1 2020, around the time the bank announced its partnership with Western Union, which allows La Banque Postale customers to more easily make “cross-border, cross-currency transactions.” In Q2 2020, La Banque Postale phishing URLs increased 102 percent, its highest increase to date, which also coincided with another big announcement: its first-ever acquisition.
Finally, PayPal remains in third place for the second straight quarter, after a brief stint at #1 in quarters 3 and 4 2019. PayPal remains a lucrative target for phishers looking to cash in quickly. Unlike attacks on brands with a more corporate clientele, such as Microsoft, PayPal is highly consumer-focused. Like any bank, PayPal stores millions of bank account and routing numbers that can be accessed with a simple username and password, making PayPal a perfect fit for brand impersonation.
Most PayPal phishing emails either warn of suspicious activity on an account or alert the user to a large purchase. Either will get a user’s attention, and in some cases, cause them to click without thinking it through:


Wednesday overtakes Monday as the worst day of the week
Weekdays remain the top days for impersonating corporate targets, but Monday, historically the most popular day, fell to Wednesday as the top day for corporate phishing. This tracks with what we’ve seen in previous quarters, with hackers mimicking the business world by sending email on weekdays but not on weekends.
Facebook, PayPal, and WhatsApp saw more activity on Fridays, Saturdays, and Sundays, which continues the trend of consumer brands being impersonated most frequently on weekends.

Tracking phishers’ favorite brands
Vade has been tracking unique phishing URLs for the top impersonated brands in phishing since Q1 2018. Protecting 1 billion consumer and corporate mailboxes, we see a variety of new techniques each quarter that you can use to educate your customers and clients about the most common phishing attacks and lures. You can find previous reports on our Phishers’ Favorites page to see how phishing trends have changed over time and how the most impersonated brands have shifted up and down the list.