The Phishers' Favorites report for Q4 2019 says that PayPal remains the top brand impersonated by cybercriminals for the second quarter in a row, with Facebook taking the #2 spot and Microsoft coming in third.

The report was developed by analyzing the number of unique phishing URLs detected by Vade Secure and made publicly available on www.IsItPhishing.AI. Leveraging data from more than 600 million protected mailboxes worldwide, Vade identified the brands being impersonated as part of its real-time analysis of the URL and page content.

For the second straight quarter, PayPal was the most impersonated brand in phishing attacks. While PayPal phishing was down 31% compared to Q3, the volume was up 23% year over year. With a daily average of 124 unique URLs, PayPal phishing is a prevalent threat targeting both consumers and SMB employees.

Microsoft remained the primary corporate target in Q4, coming in at #3 on this quarter's Phishers' Favorites list. With 200 million active business users and counting, Office 365 continues to be the primary driver for Microsoft phishing. Cybercriminals seek O365 credentials in order to access sensitive corporate information and use compromised accounts to launch targeted spear phishing attacks on other employees or partners.

In Q4, Vade Secure continued to see large volumes of file-sharing phishing, including fake OneDrive/SharePoint notifications leading directly to a phishing page and legitimate notifications leading to files containing phishing URLs. Vade is also seeing the emergence of note phishing impersonating services like OneNote and Evernote. While the campaigns are similar, the key difference is that OneNote or Evernote notes are not files, but rather HTML pages. Thus, the same technology that is used by email security vendors to scan the contents of files doesn't work with HTML pages, which means these emails have a higher likelihood of reaching users' inboxes.

For the second quarter, financial services companies accounted for the most brands and most URLs in the Phishers' Favorites report. A difference in Q4, however, is that Vade saw a shift towards phishing customers of smaller banks. One reason for this could be that while large banks have invested in building out security operations centers, incident response and takedown procedures to limit phishing campaigns impersonating their brand, smaller banks may not have the same level of controls in place.

Additional findings:

  • Netflix (#4), WhatsApp (#5), Bank of America (#6), CIBC (#7), Desjardins (#8), Apple (#9) and Amazon (#10) rounded out the top 10 most impersonated brands.
  • Despite having only three brands in the top 25, social media increased its share of phishing URLs from 13.1% in Q3 to 24.1% in Q4 2019. This growth was driven by WhatsApp, which shot up 63 spots to #5, and Instagram, which rose 16 spots to #13.
  • Netflix phishing had been a model of consistency, growing for six consecutive quarters, but that trend reversed abruptly in Q4, with a 50.2% drop in unique phishing URLs. In fact, the 6,758 Netflix phishing URLs detected by Vade Secure in Q4 was the lowest total since Q2 2018.
  • For the first time in Phishers' Favorites history, Friday was the top day overall for phishing emails, followed closely by Thursday. Tuesday, Wednesday and Monday took the middle three spots. As usual, Saturday and Sunday were at the bottom.

"When it comes to phishing in particular and cyberattacks in general, change is the only constant," said Adrien Gendre, Chief Solution Architect at Vade Secure. "Threats are evolving rapidly and they are becoming more and more credible to end users. This underscores the need for a comprehensive approach to email security combining threat detection, post-delivery remediation and on-the-fly user training as the last line of defense."