Q4 2019: Note-Based Phishing, Small Bank Impersonation Increases

Q4 Phishers’ Favorites report names
PayPal as the number one overall target for the second quarter, and Microsoft
as the number one corporate target

Boston, Mass. – February 6, 2020 - Vade, the global leader in
predictive email defense, today published its Phishers’ Favorites report for Q4
2019, which ranks the 25 most impersonated brands in phishing attacks.
According to this quarter’s findings, PayPal remains the top brand impersonated
by cybercriminals for the second quarter in a row, with Facebook taking the #2
spot and Microsoft coming in third.

The report, which can be read in full here, was developed by analyzing the number of unique phishing URLs detected by Vade and made publicly available on www.IsItPhishing.AI. Leveraging data from more than 600 million protected mailboxes worldwide, Vade’s machine learning algorithms identify the brands being impersonated as part of its real-time analysis of the URL and page content.

PayPal reigns supreme, again

For the second straight quarter, PayPal was the most impersonated
brand in phishing attacks. While PayPal phishing was down 31% compared to Q3,
the volume was up 23% year over year. With a daily average of 124 unique URLs,
PayPal phishing is a prevalent threat targeting both consumers and SMB

Illegitimate notes and file sharing keep Microsoft phishing in the spotlight

remained the primary corporate target in Q4, coming in at #3 on this quarter’s
Phishers’ Favorites list. With 200 million active business users and counting,
Office 365 continues to be the primary driver for Microsoft phishing.
Cybercriminals seek O365 credentials in order to access sensitive corporate
information and use compromised accounts to launch targeted spear phishing
attacks on other employees or partners.

In Q4, Vade continued to see large
volumes of file-sharing phishing, including fake OneDrive/SharePoint
notifications leading directly to a phishing page and legitimate notifications
leading to files containing phishing URLs. Vade is also seeing the emergence of
note phishing impersonating services like OneNote and Evernote. While the
campaigns are similar, the key difference is that OneNote or Evernote notes are
not files, but rather HTML pages. Thus, the same technology that is used by
email security vendors to scan the contents of files doesn’t work with HTML
pages, which means these emails have a higher likelihood of reaching users’

Cybercriminals target your money, but impersonate smaller banks

For the second quarter, financial services
companies accounted for the most brands and most URLs in the Phishers’
Favorites report. A difference in Q4, however, is that Vade saw a shift towards
phishing customers of smaller banks. One reason for this could be that while
large banks have invested in building out security operations centers, incident
response and takedown procedures to limit phishing campaigns impersonating
their brand, smaller banks may not have the same level of controls in place.

Additional key findings within the Q4 Phishers’ Favorites report include:

  • Netflix (#4), WhatsApp (#5), Bank
    of America (#6), CIBC (#7), Desjardins (#8), Apple (#9) and Amazon (#10)
    rounded out the top 10 most impersonated brands.
  • Despite having only three brands in
    the top 25, social media increased its share of phishing URLs from 13.1% in Q3
    to 24.1% in Q4 2019. This growth was driven by WhatsApp, which shot up 63 spots
    to #5, and Instagram, which rose 16 spots to #13.
  • Netflix phishing had been a
    model of consistency, growing for six consecutive quarters, but that trend
    reversed abruptly in Q4, with a 50.2% drop in unique phishing URLs. In fact,
    the 6,758 Netflix phishing URLs detected by Vade in Q4 was the lowest
    total since Q2 2018.
  • For the first time in Phishers’
    Favorites history, Friday was the top day overall for phishing emails, followed
    closely by Thursday. Tuesday, Wednesday and Monday took the middle three spots.
    As usual, Saturday and Sunday were at the bottom.

“When it comes to phishing in particular
and cyberattacks in general, change is the only constant,” said Adrien Gendre,
Chief Solution Architect at Vade. “Threats are evolving rapidly and they
are becoming more and more credible to end users. This underscores the need for
a comprehensive approach to email security combining threat detection,
post-delivery remediation and on-the-fly user training as the last line of

For full insight into Q4 2019’s top 25 most impersonated brands and
the latest phishing techniques and attack examples, please read the full report on
the Vade blog