PayPal came in first of the 25 most impersonated brands in phishing attacks for the fourth quarter of 2019, according to a report released Tuesday by Vade Secure.

The Phishers’ Favorites report for the fourth quarter analyzed the number of unique phishing URLs detected by Vade Secure and made publicly available on Looking at data in more than 600 million protected mailboxes across the globe, Vade identified the brands being impersonated as part of its real-time analysis of the URL and page content.

Cybercriminals who launch phishing attacks rely on the popularity and ubiquity of specific brands and products. By spoofing the look and layout of well-known brands, phishing emails try to ensnare potential victims who use those services.

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

PayPal took first place for the second quarter in a row. Though PayPal-impersonated phishing attacks fell by 31% compared with the third quarter, the volume of such attacks rose by 23% from the last quarter of 2018. Seen in an average of 124 unique URLs each day, phishing attacks that used PayPal targeted consumers and businesses, according to Vade.

Cybercriminals use PayPal for phishing because of the quick financial payback from hacking PayPal accounts. Further, active PayPal accounts rose to more than 295 million in the third quarter, offering a huge base of targets for phishing attacks.

Past PayPal phishing campaigns have employed a variety of techniques. Attackers will mix legitimate URLs with phishing URLs, use legitimate reply-to addresses, and redirect users to the actual PayPal site once after they’ve entered their credentials on the phishing page.

One PayPal phishing email displays a message alerting the user to a “new login from unknown device” with such details as the operating system, browser, and version. The email warns the user that access to their PayPal account will be limited until they sign in and confirm their identity.

Vade Secure

In second place, Facebook impersonations may have become more popular due to an increase in sign-ons across the web using Facebook Login, Vade said. By tricking people into logging into different sites using their Facebook credentials, attackers can see which apps they’ve set up then compromise those accounts. As people often use the same password across multiple sites, cybercriminals can reuse those credentials to hack into multiple sites.

Microsoft impersonations took the third spot in Vade’s list, posing a threat for businesses that use such products as Office 365. By skirting past Microsoft’s own defenses, attackers who compromise Office 365 accounts can then access information from SharePoint, OneDrive, Skype, and other Microsoft services.

One type of campaign Vade described uses file-sharing phishing emails that impersonate OneDrive and SharePoint. These emails lead users to a phishing page or contain legitimate notifications to files that harbor phishing emails.

Another type of campaign impersonates OneNote and Evernote with notifications that direct users to a phishing page or notes that contain a phishing URL. The catch here is that notes from OneNote and Evernote aren’t files but rather HTML pages, which then bypass the security filters used by email providers.

“When it comes to phishing in particular and cyberattacks in general, change is the only constant,” Adrien Gendre, chief solution architect at Vade Secure, said in a press release. “Threats are evolving rapidly and they are becoming more and more credible to end users. This underscores the need for a comprehensive approach to email security combining threat detection, post-delivery remediation and on-the-fly user training as the last line of defense.”

Image: weerapatkiatdumrong, Getty Images/iStockphoto