Vade Secure Report Reveals that PayPal and Netflix Phishing Surged in Q3 2019

Vade Secure, the global leader in predictive email defense, today published its Phishers’ Favorites report for Q3 2019, which ranks the 25 most impersonated brands in #phishing attacks. According to the report, PayPal has overtaken Microsoft to claim the number one ranking for the first time. Netflix was not far behind as the streaming giant moved up to the third spot with a 14.1 percent QoQ and 73.7 percent YoY growth in unique phishing URLs.

The report, which can be read in full here, was developed by analyzing the number of unique phishing URLs detected by Vade Secure and made publicly available on www.IsItPhishing.AI.   Leveraging data from more than 600 million protected mailboxes worldwide, Vade’s machine learning algorithms identify the brand being impersonated as part of its real-time analysis of the URL and page content. 

PayPal takes the top spot for the first time
After five quarters, PayPal has become the first brand other than Microsoft to claim the number one spot in the rankings. In Q3 2019, Vade’s AI engine detected 16,547 unique PayPal phishing
URLs for an average of nearly 180 per day. This represents a 69.6 percent YoY increase. Impersonating PayPal, which had more than 286 million active user accounts in Q2, is clearly a
highly profitable practice for cybercriminals, with no letup in sight.

Office 365 phishing techniques shift towards email randomization
Unique Microsoft phishing URLs detected in Q3 2019 were down by 31.5 percent compared to last quarter. Although, with more than 150 unique URLs per day, Office 365 phishing attacks are
still very common.

Moreover, cybercriminals have begun to shift their focus to the construction of the email, leveraging various randomization techniques to break through traditional defense layers. This minimizes the need for unique URLs for each message because the phisher is able to reuse the same webpage across a large number of emails. One randomization technique is to leverage a
modified brand logo (e.g. Microsoft logo on a blue background) in order to bypass template matching and feature matching algorithms that can only identify exact matches of the image. To
address this challenge, Vade released a Computer Vision Engine that analyzes the rendering instead of the code to detect logos and other images, even when they’ve been manipulated.

In Q3, Vade Secure also saw an increase in both the volume and variety of OneDrive/SharePoint phishing. Attacks ranged from fake notifications directly containing phishing URLs to real OneDrive notifications with a URL to a file where the phishing URL is housed. Vade has also seen the use of compromised Office 365 accounts to directly share a phishing URL, masquerading as a SharePoint file link, with the target.

Netflix phishing surges, with its six consecutive quarter of growth
Netflix phishing has seen steady growth in each of the last six quarters, rising one spot to number three in Q3 (up 14.1 percent QoQ and 73.7 percent YoY). The platform’s popularity is
surely a key driver for the corresponding growth in phishing campaigns, as it had over 158 million paying subscribers worldwide in the third quarter, along with 5.5 million free trial
customers. In addition, Stranger Things season 3, Netflix’s biggest show of the year with 64 million viewers, was released in July. It’s logical for cybercriminals to capitalize on this
excitement to catch unsuspecting people off guard.

Additional key findings within the Q3 Phishers’ Favorites report include:
• Facebook (4), Bank of America (5), Apple (6), Chase (7), CIBC (8), Amazon (9)
and DHL (10) rounded out the top 10 most impersonated brands.
• Facebook saw a 20 percent decline in unique phishing URLs in Q3, indicating that the
massive growth it experienced last quarter has leveled off.
• There were 10 financial services brands in the top 25 in Q3. It became the most
impersonated industry for the first time, accounting for 37.9 percent of all URLs.
• A large majority of phishing (79.1 percent) took place on weekdays, while Mondays and
Wednesdays were the most popular days for cybercriminals to go on the offensive.

“Cybercriminals are always evolving their phishing tactics, and each quarter we see them becoming smarter and more innovative in order to keep up with the defenses being deployed by
email users and businesses,” said Adrien Gendre, Chief Solution Architect at Vade Secure. “Despite the drop in related Microsoft phishing URLs, it’s important for organizations to remain
on high alert as our researchers have uncovered a number of new and sophisticated methods of attacking Office 365 users. For consumers, the rise of PayPal phishing, combined with the
prevalence of financial institutions in our top 25, means that cybercriminals are making a concerted effort to target your wallet. My advice is to stay vigilant and follow best practices to
ensure that you and your bank account are not victimized.”

For full insight into Q3 2019’s top 25 most impersonated brands and the latest phishing techniques and attack examples, please read the full report on the Vade Secure blog.
MSPs and resellers can also download a presentation with their data to use in client meetings.

About Vade Secure
Vade Secure helps SMBs, enterprises, ISPs and OEMs protect their users from advanced cyberthreats, such as phishing, spear phishing, malware, and ransomware. The company’s
predictive email defense solutions leverage artificial intelligence, fed by data from 600 million mailboxes, to block targeted threats and new attacks from the first wave. In addition, real-time
threat detection capabilities enable SOCs to instantly identify new threats and orchestrate coordinated responses. Vade Secure’s technology is available as a native, API-based offering
for Office 365; as cloud-based solutions; or as lightweight, extensible APIs for enterprise SOCs.