Yuka KatoThe first phishing incident took place in 1994, when a Pennsylvania teenager sent bogus messages asking AOL customers to verify their accounts, revealing their password to the scammer. Thirty years later, many of the thousands of phishing emails sent each day rely on the same underlying technology: trust in a well-known brand name.
For our latest industry report, the team here at Mailsuite analyzed more than 1.14 million phishing scam reports since 2020 and found that 249,615 of them involved impersonating a company or organization. These phishing scammers send a falsely branded message asking, with some urgency, for the recipient to click a link or provide personal data. When a small business employee clicks a link in such an email, they may inadvertently install ransomware on their network or provide crooks with the information they need to access company accounts.
Professionals should verify any email they receive before clicking a link or sharing data. However, it can help to know what phishing emails tend to look like. So, we have identified the brands and industries that phishing scammers most commonly impersonate.
What We Did
We counted the number of reported, verified phishing scams listed on PhishTank for 256 major brand names between January 2020 and March 2024, removing brands that couldn’t be verified as legitimate organizations and matching each brand name to the country of its headquarters.
Key Findings
- Facebook/Meta is the U.S. brand that phishing scammers impersonate the most, with 10,457 verified phishing scams over the past four years.
- Japanese telecoms firm au by KDDI is the international brand that phishers impersonate the most, with 18,964 scams since January 2020.
- Japanese payment brand JCB is the banking/finance brand that phishers impersonate the most (14,907 times).
- Over a quarter (27.93%) of brand impersonation phishing scams involve IT & Technology brands.
The U.S. Brands that Phishing Scammers Impersonate the Most
Four of the ten most impersonated U.S. brands are in IT & Technology, and four are in Banking and Financial Services. Facebook/Meta is the most impersonated of all by phishing scammers, with 10,457 verified phishing incidents since 2020. That’s 7% more incidents reported involving fake Facebook scammers than the second-worst affected U.S. organization, the IRS.
Facebook says that phishing messages may range from the subtle (notifications about friend requests) to the fantastic (claims or offers that sound too good to be true (such as winning a Facebook lottery). Social media network users are particularly vulnerable to emotive messages such as the “somebody died” scam or the suggestion that personal data or browsing behavior may have leaked. With the rise of AI spam accounts on the network, Facebook phishing attempts will likely become more sophisticated.
Two e-commerce brands also make the U.S. top ten: Amazon and eBay. Amazon claims to have shut down 45,000 phishing websites and more than 15,000 scam phone numbers in 2023, with fraud attempts rising ahead of the holiday season. We found 8,919 verified phishing reports involving Amazon impersonators, which is 4.23 times as many scams as those involving eBay (2,080).
The International Brands that Phishing Scammers Impersonate the Most
Despite the huge number of phishing scams from fraudsters impersonating Facebook, four international companies are impersonated more often — and they’re all based in Japan.
Telecoms firm au by KDDI, train company JR East, retail franchise Aeon and payment service JCB all have well over 10,000 verified scams associated with their names. There was a record number of phishing scams in Japan in 2023, and the previous annual record for unauthorized money transfers was surpassed just halfway through the year. “Today’s phishing sites copy screens and create identical ones,” says Hisashi Arai of KDDI’s UX and Quality Department. “The only way to tell them apart is by the site address.”
There are also three Polish brands and one UK firm among the ten most impersonated. British multiplayer online role-playing game RuneScape is the UK’s most impersonated brand and was the second most impersonated in the world in 2020. It is possible to make real money in RuneScape by “farming” in-game currency and skills. This makes RuneScape players an attractive target for scammers, who send emails purporting to be from Jagex, the game’s publisher, tricking players into giving access to their accounts.
The Industries that Phishing Scammers Impersonate the Most
Between them, brands in IT & Technology (27.93%) and Banking & Financial Services (24.57%) account for over 50% of all phishing scam impersonations. Companies in these industries have a powerful combination of high customer engagement levels, valuable credentials and high levels of trust based on familiarity. Fraudsters also prey on customer emotions, creating fear or hope around a false story of a potential windfall or, ironically, a fake security issue that supposedly needs immediate attention.
The fear of disruption to tech and banking services is enough to get many phishing victims to click before they take a moment to assess the offending email critically. And the authority of the would-be email sender makes it more likely that the recipient will act on the action requested.
“[P]hishers use psychology to convince their victims to take an action they may not normally take,” says Jess Burn, senior analyst at Forrester Research. “Most people want to be helpful and do what someone in authority tells them to do. Phishers know this, so they prey upon those instincts and ask the victim to help with a problem or do something immediately.”
The Tech Brands that Phishing Scammers Impersonate the Most
Facebook/Meta is the most impersonated tech brand in the world (see The U.S. Brands that Phishing Scammers Impersonate the Most, above), with 10,457 scams since 2020. Fellow tech giants Apple (9,110), Amazon (8,919) and Microsoft (4,518) are not far behind. Apple impersonators may ask you for your Apple ID and password, potentially getting access to your Apple Pay account as well as services such as App Store, Apple Music and iCloud.
Also among the top five is the video game distribution platform Steam, with 4,833 verified impersonations since 2020. Lured to a fake Steam page, victims may inadvertently grant the scammer access to the API (Application Programming Interface) that connects you and third-party websites to your account, allowing them to intercept your trades and steal from your account. Or they may more simply steal your log-in or verification details to gain access to your account.
The Banking and Finance Brands that Phishing Scammers Impersonate the Most
Japan’s only international payment brand, JCB, is the most impersonated money brand in the world and the fourth-most impersonated brand regardless of category. JCB has some 14,907 verified scams since 2020, which is 52.7% more than the second-worst hit money brand, the U.S. Internal Revenue Service (IRS).
The Federal Communications Commission (FCC) warns that IRS scams are particularly prevalent around tax season — ahead of April 15 or, for those with extensions, the middle of October. In addition to phishing scams, fraudsters may use spoofing, robocalls and smishing (SMS phishing) to trick victims.
“The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information,” according to the IRS website. “This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.”
Analyzing Phishing Scam Trends Since 2020
Here’s a look at the most impersonated brands per year. It reveals that tech giants and the IRS are the most consistent victims of impersonation. However, Polish e-commerce giant Allegro was particularly badly hit in 2023, with 6,399 verified reports in a year. One scam encouraged email recipients to log in to Allegro within 72 hours to collect a bonus of over PLN 650 ($160). The link led to a fake Allegro website, giving the crooks access to victims’ store accounts — but further pushed them to log in to a fake bank account to receive the money.
Japanese brands suffered a particular wave of phishing scams in 2022. The National Police Agency (NPA) links this uptick in cybercrime to the Russian invasion of Ukraine as well as the activities of the North Korean cyberattack group ‘Lazarus.’ In response, the NPA established the Cyber Affairs Bureau and the National Cyber Unit the same year — however, in general, cybercrime in Japan continues to rise.
How to Protect Your Business from Phishing Emails
When a small business is hit by a phishing scam, the livelihoods of employees, customers and business owners can be impacted. To protect your business, consider the following tips.
1. Teach your team about phishing
A small business’s cybersecurity is only as strong as its weakest link. Stay up to date on the latest fraud techniques and hold regular training sessions to keep your employees informed and vigilant.
2. Improve your security
Ensure operating systems are updated across your IT suite, take steps to keep company email accounts safe, and install anti-virus and malware detection software. But remember, your system may also be compromised by web email accounts — so ensure staff are aware of the risks across email clients.
3. Instigate multi-factor authentication (MFA) across your firm’s online services
With multi-factor authentication, crooks will have trouble accessing accounts even if they get past the first hurdle.
4. Verify every request
You probably read about the Hong Kong finance worker who sent $25 million to fraudsters following a deep-faked business call. Make it a company protocol to double-check every request for log-in details, data or payments.
5. Be prepared
Cyberattacks are ever more sophisticated, while human error is never totally avoidable. Prepare an incident response plan (IRP) to minimize the damage caused by a security incident.
6. Don’t forget about document security
Your team not only uses their email to communicate but also to share important documents with each other and with your customers. Teach your employees the keys for sending secure documents via email: require a signature upon receipt, control and monitor document access, and encrypt emails and attachments.
Cybercrimes of the Future
As long as there are networked computers, there will be cybercrime. But the irony of cybercrimes such as phishing is that they exploit human nature and fallibility, whether it’s the abused trust inherent in fake emails and websites from impersonated brands or the panic that sets in when a message gives you a short time to respond.
Three decades on from the first phishing incident, the quick growth of AI text, image and voice generation is ushering in a new era of fraudulent identity crime, and it should be a fundamental of every small business’s protocol to stay ahead of the fraudsters and prepare for attacks.
Methodology
We identified the brands and industries that phishing scammers impersonate the most by counting the number of reported, verified phishing scams listed on PhishTank for 256 major brand names between January 2020 and March 2024.
We removed any ambiguous brand names that couldn’t be verified as legitimate companies or organizations, matching each brand name to the country of its headquarters.
Overall, we analyzed more than 1.14 million phishing scam reports, 249,615 of which were identified as impersonating a company or organization.
This data analysis was completed in April 2024.
