In Q4 2025, Microsoft once again ranked as the most impersonated brand in phishing attacks, accounting for 22% of all brand phishing attempts, according to data from Check Point Research. This continues a multi-quarter trend in which attackers increasingly abuse trusted enterprise and consumer brands to harvest credentials and gain initial access.

Google followed in second place with 13%, while Amazon climbed into third position at 9%, fueled by Black Friday and holiday sales, overtaking Apple. After a prolonged absence, Facebook (Meta) re-entered the top 10, landing in fifth place, highlighting renewed interest among attackers in social media account takeover.

Technology Continues to Dominate Brand Phishing

By industry, the technology sector remained the most impersonated category in brand phishing campaigns during Q4 2025. Its dominance reflects attackers’ focus on credentials that can unlock enterprise access, cloud services, and identity platforms..

Technology was followed by social networks, driven by elevated Facebook-themed phishing, and financial services, which continue to be abused for direct fraud and payment theft.

Top 10 Most Imitated Brands in Phishing – Q4 2025

Below are the brands most frequently impersonated in phishing attacks during Q4 2025, ranked by overall share:

  1. Microsoft – 22%
  2. Google – 13%
  3. Amazon – 9%
  4. Apple – 8%
  5. Facebook (Meta) – 3%
  6. PayPal – 2%
  7. Adobe – 2%
  8. Booking – 2%
  9. DHL – 1%
  10. LinkedIn – 1%

The continued dominance of Microsoft and Google reflects their central role in identity, productivity, and authentication workflows—making stolen credentials particularly valuable to attackers.

Real-World Phishing Examples Observed in Q4 2025

Roblox: Phishing Targeting Children and Gamers

In Q4 2025, Check Point Research identified a Roblox-themed phishing campaign observed via user browsing activity. The malicious site was hosted at a lookalike domain, robiox[.]com[.]af, differing from the legitimate roblox.com by a subtle letter substitution.

Fraudulent Roblox Game Page

The landing page presented a fake Roblox game titled “SKIBIDI Steal a Brainrot”, complete with realistic visuals, ratings, and a prominent “Play” button. The content closely mimicks one of the most popular games currently on the Roblox platform, and was clearly designed to appeal to children—a core segment of the platform’s user base.

Fraudulent Roblox Login Page

When users attempted to access the game, they were redirected to a second-stage phishing page that replicated the official Roblox login interface. Credentials entered on the page were silently harvested, while the user remained on the same screen with no visible indication of compromise.

Netflix: Account Recovery as a Lure

Fraudulent Netflix Page

CPR also identified a Netflix-impersonation phishing site, hosted at netflix-account-recovery[.]com (currently inactive). The domain was registered in 2025, in contrast to the legitimate netflix.com, which dates back to 1997.

Legitimate Netflix Page (netflix.com/LoginHelp)

The phishing page closely mirrored Netflix’s official login and account recovery interface, prompting users to enter their email address or mobile number and password. The objective was straightforward: credential harvesting for account takeover, potentially enabling resale or further fraud.

Facebook (Meta): Localized Credential Theft

Fraudulent Facebook (Meta) Page

In another campaign observed during Q4 2025, CPR detected a Facebook-themed phishing page delivered via email and hosted on facebook-cm[.]github[.]io.

The page impersonated Facebook’s login portal and was presented entirely in Spanish, using familiar branding, layout, and authentication prompts. Users were asked to enter their email address, phone number, and password, which were subsequently harvested by the attackers to enable unauthorized account access and potential downstream abuse.

Why Brand Phishing Continues to Succeed

Brand phishing remains effective because it exploits user trust in familiar platforms. Attackers increasingly rely on polished visuals, subtle domain manipulation, and multi-stage flows that closely mimic legitimate user experiences—often leaving victims unaware that their credentials have been stolen.

As identity becomes the primary attack surface, phishing remains a critical initial access vector for both consumer fraud and enterprise breaches.

Check Point Research (CPR) continuously monitors phishing campaigns and brand impersonation trends to help organizations and users stay protected against evolving threats.

You may also like