Phisher's Favorites

Phishers’ Favorites Top 25, H1 2022: Microsoft Is the Most Impersonated Brand in Phishing Attacks

Natalie Petitto

July 26, 2022

3 min

Phishers’ Favorites highlights the 25 most impersonated brands in phishing attacks. The list is compiled by analyzing the unique phishing URLs detected by Vade’s technology. A unique phishing URL is a single instance of a phishing URL and not the number of phishing emails associated with the URL. Examples of these URLs and their corresponding pages are available at www.IsItPhishing.AI.

Microsoft leads list of most impersonated brands

Microsoft, a longtime phishers’ favorite, was the most impersonated brand in phishing attacks in H1 2022, with a total of 11,041 unique phishing URLs. Microsoft’s dominant cloud footprint, with nearly 300 million paid seats to its wildly popular Microsoft 365 platform, remains an irresistible target and top draw for phishers around the globe. Microsoft’s position in the top spot is due to a 266 percent QoQ increase in phishing in Q1.

Phishers 1

Facebook followed close behind Microsoft, with 10,448 URLs, thanks to a 177 percent increase in Facebook phishing in Q2. Despite Facebook’s looming legal issues and waning reputation among social media users, it remains the most used social media platform in the world, with around 2.93 billion active users offering valuable data for phishers to exploit.

Rounding out the top five on the Phishers’ Favorites list are Crédit Agricole, WhatsApp, and Orange, one of several ISPs on the list.

See the full list

Banks receive the bulk of abuse by phishers around the globe

Financial services top the list of most impersonated industries in phishing in the first half of 2022. Financial services had eight brands in the top 25, including Crédit Agricole, MTB, and PayPal.

Phishers 3

Like Microsoft and Facebook, financial services brands saw large increases in impersonation in Q1. Crédit Agricole phishing increased 203 percent QoQ, while MTB saw a 332 percent QoQ increase, PayPal saw a 305 percent increase, and La Banque Postale saw a 143 percent increase.

The cloud industry was the second most impersonated industry, with 6 brands in the top 25, including #1 Microsoft, #10 Google, #13 Netflix, #21 Adobe, and #25 DocuSign.

Overall, the financial services industry represented 34 percent of all unique phishing URLs detected by Vade in H1 2022. Cloud and Internet/Telco each represented 19 percent of all phishing URLs, followed by social media with 17 percent, E-commerce with 10 percent, and government with only one percent.

 Phishers 4

Phishers are most likely to attack on weekdays

The pattern of weekday phishing continued in H1 2022, with the majority of phishing URLs detected between Monday and Wednesday, followed by lesser activity towards the end of the week. In Q1, Tuesdays and Wednesdays were the top days for phishing, while Mondays and Tuesdays were the top days in Q2.

Phishers 5

Weekend phishing increased slightly QoQ, with a three percent increase from Q1 to Q2.

Phishers 6

Creative attacks impersonating trusted brands

From inciting panic about large credit card payments to tales of locked social media accounts, phishers used a number of creative techniques to dupe users in the first half of 2022. They impersonated the most trusted brands to achieve their ends.

Microsoft Defender support scam

In 2021 and early 2022, Vade detected a large number of technical support scams impersonating brands like Norton, McAffee, and Microsoft, and later, Apple and Amazon. Unlike most phishing scams, hackers used phone numbers rather than phishing links to lure users and bypass email filters.

In June 2022, hackers impersonated Microsoft Defender, alerting the recipient that a $299.00 subscription payment has posted to their bank account. The recipient, the hacker says, has 24 hours to cancel the payment, but they must do it by phone.Phishers 7

Microsoft Defender phishing email

In previous iterations of the technical support scam, hackers manipulated users over the telephone, convincing them their computers were infected with malware. During the telephone exchange, hackers would take control of users’ computers to install spyware. Vade detected more than 10,000 of these Microsoft Defender phishing emails on June 28, 2022.

Facebook community standards violation

Being locked out of a social media account can be debilitating to those who are always online. Being kicked off a platform for violating policies is an emerging issue that causes users to flock to other social media platforms to complain. In the below Facebook phishing email, the user is informed that their account has been suspended due to a violation of “Community Standards.”

 Phishers 8Facebook community standards phishing email

In another example, the phisher informs the user that Facebook’s renewed privacy policies require the user to confirm their identity with formal documentation. This attack leverages cybersecurity as the ruse for hooking the recipient.

Phishers 9

Facebook identity check phishing

Phishing prevention and detection

Detecting phishing emails is difficult not only for users but also for security vendors. As the sophistication of attacks increases, so does the likelihood that a costly attack will bypass security and land in an inbox.

Vade is responding to the challenges of phishing detection by investing heavily in our AI technology and developing new methods of disarming phishing kits. To learn more about Vade’s anti-phishing technology, visit our Anti-Phishing Solution page.