At this point, everyone knows what phishing is, right? Phishing scams are almost always emails that appear to be from a legitimate business that needs your urgent attention on some matter.
From there, scammers will try to get you to click on their spoofed, fake and malicious links and steal your credentials. If you're not careful, that is all these criminals need to gain access to a treasure trove of personal information like credit card numbers, personal data and other confidential files.
But did you know that not all companies are treated equally when it comes to phishing attempts?
The payoff in victimizing certain accounts is greater, so naturally, scammers allocate more of their resources to target specific brands.
In fact, to shed light on the matter, a new report on the top phishing brands has been published. Read on and see the surprising and not-so-surprising results.
Phishers' Favorites Top 25
Email security firm Vade Secure recently published the second edition of its "Phishers' Favorites" list and there are no surprises here -- Microsoft, Paypal, and Netflix still lead the pack of the most-phished brands in the U.S.
The "Phishers' Favorites" is a quarterly report that tracks the 25 most commonly faked brands in North America, including their movement in the rankings from the prior report. A total of 86 brands are currently being tracked since, based on Vade Secure's findings, they account for 95 percent of all phishing URLs.
What's surprising, though, is the significant drop in social media phishing, mainly because of Facebook's improvement in the rankings.
Microsoft remains the top phishing favorite
Retaining the top spot from the second quarter report is Microsoft and the difference is not even close.
Microsoft phishing emails grew by 23.7% from the last report, maintaining its trend of growth for each quarter.
Why are Microsoft phishing attacks still extremely popular? Well, aside from Windows still having the largest desktop computer user base in the world, the cloud-based component of Microsoft's services makes it extra enticing.
Nowadays, if a hacker manages to steal Office 365 credentials, not only can they access sensitive files from anywhere, they can also use a compromised account as a springboard for more phishing attacks from within a company.
"The primary goal of Microsoft phishing attacks is to harvest Office 365 credentials. With a single set of credentials, hackers can gain access to a treasure trove of confidential files, data, and contacts stored in Office 365 apps, such as SharePoint, OneDrive, Skype, Excel, CRM, etc.," wrote Vade Secure in its report.
"Moreover, hackers can use these compromised Office 365 accounts to launch additional attacks, including spear phishing, malware, and, increasingly, insider attacks targeting other users within the same organization," the company added.
The most common Microsoft phishing techniques involve fake sign-in pages that look exactly like the real thing. For example, scammers are sending phishing emails that warn about suspended or disabled Office 365 access, creating "a sense of urgency" for the recipient to enter their credentials immediately.
Another common technique is fake file sharing from a OneDrive or SharePoint account. As always, the hook with these scams is that in order to view the shared file, the target has to enter their Microsoft account credentials.
Runners-up: Paypal and Netflix
Paypal held on to second place with a 29.9% increase in phishing addresses. Why is Paypal so popular? Well aside from its massive user base, a Paypal account has financial and banking information that scammers can exploit for a quick buck.
Moving up from fourth to third place is Netflix, which scored a large 61.9% increase in phishing addresses. Netflix phishing scams are on the rise because aside from harvesting credit card details, Netflix credentials are also being sold in the Dark Web for cheap.
And naturally, making it to the top 5 are two widely used financial institutions - Bank of America with a big 57.4% growth and Wells Fargo, which netted a 21.5% increase.
Apple and Google are lower on the list than I expected, ranking at 14 and 15, respectively.
Facebook moved down
One surprising development in this quarter's report is the progressive decline of phishing attempts on Facebook. Phishing URLs for Facebook already dropped significantly by 53% in the second quarter and dropped even further by 35.6% in the third quarter.
How come? Facebook's security crackdown due to the fallout from the Cambridge Analytica fiasco and increased attention from internet watchdogs are some of the probable reasons why scammers are staying away from Facebook at this time.
Targeted phishing is on the rise
It's interesting to note that while the number of phishing attacks on the whole is rising, hackers are increasingly relying on social engineering than software exploits and malware. Vade Secure said the total number of new phishing URLs across the tracked 86 brands rose a whopping 23.4% in the third quarter of 2018 alone.
Phishing scammers are also employing new targeting techniques to evade detection. By crafting unique URLs for targeted emails, they can avoid detection from email security software and filtering tools.
So instead of sending the emails in bulk from a single URL, it looks like scammers are splitting them up with multiple addresses to bypass phishing message filters.
Top days for phishing
Here are more interesting facts from Vade Secure's report: the most common days when scammers send out their phishing emails the most.
Apparently, cybercriminals also adhere to general marketing strategies when they send out their fake emails to increase their chances of success.
Microsoft phishing emails are sent out during weekdays, peak Tuesdays and Thursdays and understandably drop off during weekends.
The reverse is true with Netflix as phishing attacks peak during the weekends, the days when subscribers are streaming the most.
Banking phishing attacks also peak Saturdays and Sundays since bank customer support are typically closed on weekends, making it harder for the targets to verify the authenticity of a bank phishing email.
How to protect yourself against phishing scams:
- Use unique passwords - Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it's simple for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.
- Be cautious with links - If you get an email or notification that you find suspicious, don't click on its links. It could be a phishing attack. It's always better to type a website's address directly into a browser than clicking on a link. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn't what the link claims, do not click on it.
- Set up two-factor authentication - Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. It's like the DMV or bank asking for two forms of ID. Click here to learn how to set up two-factor authentication.
- Watch for typos - Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.
- Check your online accounts - The site HaveIBeenPwned allows you to check if your email address has been compromised in a data breach.
- Have strong security software - Having strong protection on your family's gadgets is very important. The best defense against digital threats is strong security software.
Watch out! Serious zero-day security flaw found in popular website tool
Recently, an online security researcher discovered what is called a zero-day security flaw in a major website plugin used by a large number of people and companies. This security hole allows hackers an inside track to stealing information, photos, and possibly even more from within a website. The worst part is that this glitch has most likely been around for some time, which may have given hackers plenty of time to get into a multitude of websites. You may have been impacted too.