Brand Phishing Report – Q4 2020


According to Check Point Research´s (CPR) analysis, Microsoft still lead the top ten-brand phishing in the last quarter of 2020, with many websites trying to impersonate Microsoft login screens and steal user credentials.

Shipping and retail, mainly led by email phishing on DHL and Amazon, are up to the top 3 brand industries for the first time this year and have more than doubled their relative share following the shopping and holidays months.

Top Phishing brands

Below are the top ten brands ranked by their overall appearance in brand phishing events during Q4 2020:

Top phishing brands in Q4 2020

The top brands are ranked by their overall appearance in brand phishing attempts:

  1. Microsoft (related to 43% of all brand phishing attempts globally)
  2. DHL (18%)
  3. LinkedIn (6%)
  4. Amazon (5%)
  5. Rakuten (4%)
  6. IKEA (3%)
  7. Google (2%)
  8. Paypal (2%)
  9. Chase (2%)
  10. Yahoo (1%)

Top industry sectors for brand phishing

  1. Technology
  2. Shipping
  3. Retail

DHL Phishing Email – Password Theft Example

During November, we noticed a malicious phishing email that used DHL’s branding, and was trying to steal users’ passwords. The email (see Figure 1), which was sent from the spoofed email address [email protected], contained the subject “RE: Your DHL parcel (Available for pick up) – [<recipient email>]” with the user’s email. The attacker was trying to lure the victim to click on a malicious link, which redirected the user to a fraudulent login page (see Figure 2) where the user needed to key in their password, and would then be sent to the site selected by the attacker (https://ipostagepay[.]ru/[.]mm0/).

Microsoft Phishing Email – Credentials Theft Example

During December we observed a malicious phishing email, which was trying to steal credentials of Microsoft Office 365 account users. The email (Figure 3) contained the subject “Doc(s) Daily delivery #- <ID Number>” and the content impersonated eFax service. After the users click on the link, they are taken to another document (Figure 4) that redirects them to a fraudulent Microsoft login page (Figure 5).