Phishers’ Favorite Report Reveals Massive Increase in WhatsApp Phishing URLs

The Q4, 2019 Phishers’ Favorite report from email security firm Vade Secure shows PayPal is the most impersonated brand in phishing attacks, making it two successive quarters at the top of the list. In Q4, 2019, Vade Secure detected 11,392 new PayPal phishing URLs at a rate of 124 new URLs a day. While the number of new PayPal URLs fell 31.2% from Q3, 2019, detections are up 23% on this time last year.

Second place went to Facebook, which rose two positions in Q4 with 9,795 unique phishing URLs detected. Even with the rise in position, detections decreased by 18.7% from Q3, 2019, but they are up 358.8% on Q4, 2018. Detections were also down for Microsoft (-38.2%) in third position and Netflix (-50.2%) in fourth, which both dropped a place.

Microsoft may be in third position overall, but it is the most commonly impersonated brand in corporate phishing attacks. Microsoft Office 365 credentials are valuable as they can be used to access a wealth of sensitive corporate data. They can also be used to access Office 365 email accounts that can be used for business email compromise attacks, spear phishing attacks on other individuals in an organization, and convincing phishing attacks on partners and suppliers.

The most notable change in the Q4, 2019 report is a massive increase in WhatsApp phishing URLs. Detections were up 13,468% on Q3, 2019 with 5,020 unique phishing URLs detected in the quarter. This was largely due to the activity of the Berbagi WhatsApp group, which advertises pornographic content. The massive increase in WhatsApp phishing URLs saw social media phishing URLs increase from 13.1% of detections in Q3 to 24.1% in Q4.

Bank of Bank of America fell one place with 4,375 URLs detected, a fall of 21.5%, with CIBC rising one place with an increase in phishing URL detections of 11.2%. Desjardins was another notable riser, ascending 4 places to position 8 with a 54.4% increase in URL detections. Apple and Amazon rounded out the top ten with a fall of 57.9% and a rise of 0.6% respectively. Two other notable risers were Instagram, which ascended 16 places to position 13 with an 187.1% increase in URL detections in Q4, and Square, which rose 19 places with a 246.1% increase in phishing URL detections.

The financial services was the most impersonated sector. Vade Secure noted an increase in impersonation of smaller banks in Q4, 2019. Vade Secure suggests this is because smaller financial institutions are likely to have poorer defenses against phishing than the big banks.

Other findings in the Q4, 2019 Phishers’ Favorite report include a rise in note phishing attacks, with OneNote and Evernote the most commonly impersonated note services. Vade Secure also reports that it continues to see large volumes of fake SharePoint and OneDrive phishing emails that direct users to files containing phishing URLs.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of