Data points from Risk IQ Q2 Phishing Roundup

Top-10-Phishing-Brands-Q1-Q2-highres2-1.pngThreat Management Provider Risk IQ released data comparing the use of top 10 brands names in Phishing attacks from Q1 and Q2, 2017.

The report doesn’t name the top ten brands favored by scammers other than they are “extremely well-known.” It does provide some insight into the metrics of phishing domain usage, number of phishing threats directed at potential victims through the use of top ten branding, together, with an analysis of domain information from the Whois database.

Risk IQ provided the statement below about the data: “From quarter to quarter, RiskIQ tends to observe many of the same brands in our most-phished list. Financial services and digital transaction brands continue to be a favorite target, which is not surprising—as threat actors involved in phishing campaigns attempt to trick users into providing sensitive data, which these companies collect in droves. As such, healthcare companies and major software providers are also regulars in the top-10 most-phished brand's list.”

More qualification of the data.

“The data in this report, which is comprised of internally blacklisted resources—unique phishing URLs in this case—was aggregated exclusively by the RiskIQ team. It will focus on:

  • The number of phishing threats
  • The most targeted brands
  • The Whois characteristics of these phishing threats “

Here’s what they found.

Domain Usage by Scammers

Risk IQ, reports the number of unique phishing domains dropped slightly in Q2, 2017 to Q1, 2017 from 45,025 to 39,320 while the number of unique brands targeted rose from 237 to 316 in the respective quarters. A 15.7% increase in domain usage for targeted brands for Q2.

Most Phished Brands

“The most-phished brands remained the same and included financial services, and digital transaction brands followed by healthcare companies and major software providers.”

Hide and seek

The bad guys continued to hide their identities through utilizing domain privacy features or outright falsification of the whois information submitted to domain registrars. Scammers seemed to prefer two hosting services. Zenedge LLC, followed by CyronOne LLC. Zenedge was the most preferred host in Q2. Why scammers preferred these hosts was not discussed.

Risk IQ also pointed out that “the hosting provider data is not positively correlated with the domain volume of the hosting provider, which was the case with the registrar data.”


Why target the top ten? That’s where the money balls and sensitive data troves are. Financial services and digital transaction brands lead the pack.

The report doesn’t probe the nature of the attacks. An enormous amount of data is now available to scammers as the result of huge data dumps and data exfiltration compromises over the last two years. Phishing scams have the capability of using even more sophisticated and personalized methods to compromise your data, banking information, and credentials.

It would appear that “top brands usage” is more related to spray and pray (mass spam attacks) rather than in cleverly crafted social engineering spear-phishing ploys.

Remember, what proves to be a successful strategy today is highly likely to morph as phishing scammers continue to go to consumer behavior school and fine-tune their social engineering skills to try to stay one step ahead of the threat mitigation community.

We strongly recommend to phish your own users to prevent these types of very expensive snafus. If you're wondering how many people in your organization are susceptible to phishing, here is a free phishing security test (PST):

Get Your Free PST Now


Topics: Phishing

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Recent Posts

Get the latest about social engineering

Subscribe to CyberheistNews