#Privacy: PayPal and Netflix experience surge in phishing attacks

 Vade Secure, a global leader in predictive email defense, today published its Phishers’ Favorites report for Q3 2019, which ranks the 25 most impersonated brands in phishing attacks.

According to the report, PayPal has overtaken Microsoft to claim the number one ranking for the first time. Netflix was not far behind as the streaming giant moved up to the third spot with a 14.1 percent QoQ and 73.7 percent YoY growth in unique phishing URLs.

The report, which can be read in full here, was developed by analyzing the number of unique phishing URLs detected by Vade Secure and made publicly available on www.IsItPhishing.AI. Leveraging data from more than 600 million protected mailboxes worldwide, Vade’s machine learning algorithms identify the brand being impersonated as part of its real-time analysis of the URL and page content.

PayPal takes the top spot for the first time

After five quarters, PayPal has become the first brand other than Microsoft to claim the number one spot in the rankings. In Q3 2019, Vade’s AI engine detected 16,547 unique PayPal phishing URLs for an average of nearly 180 per day. This represents a 69.6 percent YoY increase. Impersonating PayPal, which had more than 286 million active user accounts in Q2, is clearly a highly profitable practice for cybercriminals, with no letup in sight.

Office 365 phishing techniques shift towards email randomization

Unique Microsoft phishing URLs detected in Q3 2019 were down by 31.5 percent compared to last quarter. Although, with more than 150 unique URLs per day, Office 365 phishing attacks are still very common.

Moreover, cybercriminals have begun to shift their focus to the construction of the email, leveraging various randomization techniques to break through traditional defense layers. This minimizes the need for unique URLs for each message because the phisher is able to reuse the same webpage across a large number of emails.

One randomization technique is to leverage a modified brand logo (e.g. Microsoft logo on a blue background) in order to bypass template matching and feature matching algorithms that can only identify exact matches of the image. To address this challenge, Vade released a Computer Vision Engine that analyzes the rendering instead of the code to detect logos and other images, even when they’ve been manipulated.

In Q3, Vade Secure also saw an increase in both the volume and variety of OneDrive/SharePoint phishing. Attacks ranged from fake notifications directly containing phishing URLs to real OneDrive notifications with a URL to a file where the phishing URL is housed. Vade has also seen the use of compromised Office 365 accounts to directly share a phishing URL, masquerading as a SharePoint file link, with the target.

Netflix phishing surges, with its six consecutive quarter of growth

Netflix phishing has seen steady growth in each of the last six quarters, rising one spot to number three in Q3 (up 14.1 percent QoQ and 73.7 percent YoY). T

he platform’s popularity is surely a key driver for the corresponding growth in phishing campaigns, as it had over 158 million paying subscribers worldwide in the third quarter, along with 5.5 million free trial customers. In addition, Stranger Things season 3, Netflix’s biggest show of the year with 64 million viewers, was released in July. It’s logical for cybercriminals to capitalize on this excitement to catch unsuspecting people off guard.

Additional key findings within the Q3 Phishers’ Favorites report include:

  • Facebook (#4), Bank of America (#5), Apple (#6), Chase (#7), CIBC (#8), Amazon (#9) and DHL (#10) rounded out the top 10 most impersonated brands.

  • Facebook saw a 20 percent decline in unique phishing URLs in Q3, indicating that the massive growth it experienced last quarter has leveled off.

  • There were 10 financial services brands in the top 25 in Q3. It became the most impersonated industry for the first time, accounting for 37.9 percent of all URLs.

  • A large majority of phishing (79.1 percent) took place on weekdays, while Mondays and Wednesdays were the most popular days for cybercriminals to go on the offensive.

“Cybercriminals are always evolving their phishing tactics, and each quarter we see them becoming smarter and more innovative in order to keep up with the defenses being deployed by email users and businesses,” said Adrien Gendre, Chief Solution Architect at Vade Secure.

“Despite the drop in related Microsoft phishing URLs, it’s important for organizations to remain on high alert as our researchers have uncovered a number of new and sophisticated methods of attacking Office 365 users. For consumers, the rise of PayPal phishing, combined with the prevalence of financial institutions in our top 25, means that cybercriminals are making a concerted effort to target your wallet. My advice is to stay vigilant and follow best practices to ensure that you and your bank account are not victimized.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/