Vade Report: Microsoft Is Most Spoofed Brand in Attacks

The “Phishers' Favorites” report from Vade, published in Q2 2020, noted that high visibility brands have been increasingly targeted by phishers during the Covid-19 pandemic. 

Hem (59) August 26, 2020 - Vade, French specialist in predictive email inbox defense, (protecting more than 1 billion email inboxes in 76 countries), revealed the 25 most impersonated brands in phishing attacks today in their report Phishers' Favorites for Q2 2020. Unsurprisingly, Microsoft is still, by a long shot, the most impersonated brand in the world. The rest of the ranking bears the mark of Covid-19, given that phishers attack the most visible brands at the time.

The report, full version available here, is the result of analyzing the number of unique phishing URLs detected by Vade and made public at www.IsItPhishing.AI. By using data issued from more than one billion email inboxes in the world, machine learning algorithms developed by Vade identifies the most targeted brands in phishing campaigns, using real-time analysis of URLs and page content.

Phishers’ Favorites Q2 2020: Microsoft Is the Most Spoofed Brand, COVID-19 Colored Everything

Microsoft has the top spot (N°1), being impersonated at twice the rate of Facebook (N°2).

With 9,410 unique phishing URLs detected by Vade, Microsoft was, by far, the most impersonated brand in the second quarter of 2020 (NB: For its ranking, Vade takes into account each URL once, but these are generally used several hundreds of times across different phishing campaigns.)

The position occupied by Microsoft over the last seven quarters (Over the past 2 years, Microsoft has only been dethroned for 2 quarters, by Paypal) corresponds to the growing number of Microsoft 365 users, which represents 258 million users today. Microsoft 365 stores untold amounts of critical business and employee data in SharePoint, OneDrive, Teams, and numerous other applications.

Not only this, but Microsoft is one of the most well-known companies in the world. With that notoriety comes trust: the Microsoft logo is so pervasive, especially in the business world, that hackers are spoofing other brands and using Microsoft as the lure that signals legitimacy.

WhatsApp, technology to keep in touch, jumped 14 places during lockdown...

Concerning social media, Facebook remains phishers’ favorite brand. In Q2 2020, Vade detected 4,373 unique phishing URLs impersonating Facebook, in other words, an increase of 17.1% from Q1. Like Microsoft, Facebook’s global digital footprint is undeniable. Phishing campaigns are often related to news or current events. Vade observed a massive wave of phishing attacks linked to the Covid-19 pandemic in March 2020. For Facebook and other well-known brands, peaks in impersonation sometimes corresponds to the launching of expected features, commercial partnerships and divulged security vulnerabilities.

However, the social media that has gained the most popularity for users, and for phishers, is WhatsApp. While it was barely on the list in Q1 and Q2 2019, WhatsApp saw a significant spike in Q4, with more than 5,000 unique phishing URLs detected. After a large decrease (-83%) in Q1 2020, WhatsApp phishing URLs soared by 185% in Q2 2020, propelling the company into fifth place on the ranking.

The Covid-19 pandemic and subsequent lockdowns are responsible for the loss of social links all over the planet. Quite naturally, a large part of the population turned towards technology (WhatsApp but also Zoom, etc.) to combat this problem. During lockdown, WhatsApp use increased by 40% globally, including 76% in Spain, which was particularly affected by the pandemic.

Searching for employment and viewing training content blew up on LinkedIn

LinkedIn is no longer in the top 10 but LinkedIn phishing URLs doubled compared to Q1. LinkedIn is abundant with social engineering opportunities, especially since the Covid-19 epidemic has caused the loss of millions of jobs around the world. For example, LinkedIn sessions increased 26% in Q2, and platform users watched four million hours of training content in March 2020, a 50% month-over-month increase. No doubt each of these increases was precipitated by the millions of people newly out of work, resulting in a massive influx of users looking to either network for prospects or boost their resumes with new skills—likely both.  

Financial services, the sector with the most impersonated brands

In such times of financial instability, what could be more efficient than an alarming email from your bank...

The financial sector has eight brands in the top 25 in the ranking and 5 in the Top 10. This represents 33% of the total unique phishing URLs detected in the sector.

While the American Investment Bank, Chase, dethroned the Bank of America, La Banque Postale, a subsidiary of the French postal service, made the biggest leap, moving up 12 spots to #12 with 3,199 phishing URLs.

With a first spike in Q1, coinciding with the Western Union partnership announcement, La Banque Postale experienced a second spike in Q2, presumably linked to the merger with French Insurance Firm, CNP Assurances, (+102% unique URLs detected).

Phishing with email notification from La Banque Postale
Phishing with email notification from La Banque Postale

Finally, PayPal remains in third place for the second straight quarter, after a brief stint at the top spot in Q3 and Q4 2019. PayPal remains a lucrative target for hackers looking to cash in quickly. Unlike attacks on brands with a more corporate clientele, such as Microsoft, PayPal is highly consumer-focused. Like any bank, PayPal stores millions of bank account and routing numbers that can be accessed with a simple username and password, making PayPal a perfect fit for brand impersonation. 

About Vade

Vade helps SMEs, companies, ISPs and OEMs to protect their users against sophisticated cyber threats such as phishing, spear phishing, malwares and ransomwares. Our company's proactive email protection solution uses artificial intelligence and data from 600 million messaging services in order to block targeted and innovative attacks from the first wave. Moreover, real-time threat detection enables the Security Operations Centers (SOC) to instantly identify new threats and coordinate appropriate interventions. Vade technology is available as a native, API-based offering for Office 365, as cloud-based solutions, or as lightweight, extensible APIs for enterprise SOCs.

To learn more, visit and follow us on Twitter @VadeSecure or LinkedIn

# # #

Press contacts:
Aurélien Rouby/Laëtitia Berché
+33 (0)6 70 68 49 32