Subscribe to receive notifications of new posts:

2022 March Hackness: The Return of the Phishing Bracket - What 56 Million Emails Reveal about the Most Impersonated Brands

2022-03-26

4 min read

This blog originally appeared in March 2022 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.

Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here!

Learn who made the list of the top brands that attackers use in phishing lures. This bracket is based on an analysis of more than 56 million phishing emails blocked by Area 1’s solution in the preceding 12 months since Feb 2022. Like with the real tournament, there are some surprising Cinderella-like newcomers, well-known MVPs, and 800-plus spoofed organizations in between — but overall, 77% of all phishing attacks exploited just the Top 64 brands in our bracket, below.

Well, it’s that time of the year when NCAA basketball fans find themselves bemoaning broken brackets** and pondering life’s biggest questions, such as:

  • How did the Wildcat men and women both lose in the first rounds?

  • Was Baylor’s exit scientific proof that all good things really must come to an end?

  • DID ALL THAT JUST REALLY HAPPEN?!

  • What if the referees didn’t [insert your adjectives of choice here]?

**A heartbroken RIP to my unsuccessful pick-to-win-it-all, Gonzaga. Goodbye, Bulldogs, we barely knew you.

Now, the Area 1 Security folks can only offer some unscientific opinions to the questions above. After all, our job is to prevent breaches, not prognosticate about bad perfectly fine officiating.

Which means that, unlike the “sometimes it’s just luck” nature of college basketball in March, we prefer to look at cold, hard data to answer threat trend questions.

And that brings us to — DRUM ROLL PLEASE — the introduction of our Sixth Annual March Hackness: The Perfect Phishing Bracket!

This is the time of year we conclusively answer: Which organizations do attackers impersonate most in phishing campaigns?

For 2022, our analysis is based on more than 56 million phishing emails that we intercepted from January 2021 – January 2022. And although attackers pretended to be over 800 different organizations, ultimately, just 64 organizations were the go-to lures in a whopping 77% of these brand phishing attempts:

Breaking Down the Bracket

Now, we’ll reveal soon who was MOST impersonated, but let’s break down our Top 64 (and other initial findings from the overall data), below.

As always, attackers continued to take advantage of the following two, basic concepts when it comes to brand phishing campaigns (which, PS: easily evade DMARC and other email authentication standards):

1) Which technologies do people use most?In Area 1’s first-ever March Hackness, we found hackers often exploited “traditional” banks and financial institutions, and loved to spoof the likes of AOL, Yahoo!, and Craigslist. But that was in 2016, when AOL’s AIM was still around (!!), before Facebook Marketplace launched as ‘the new’ Craigslist … and before something mysterious called Crypto.com rebranded the Staples Center.

Flash forward to today, and:

  • In a sign of the times, and acknowledgement of how much ‘the Cloud’ is a part of all of our lives**, more than 22%** of brand phishing attacks exploited commonly cloud services, such as Amazon, Box, DocuSign, Google, Intuit, Microsoft and many others.

  • But, it isn’t just well-entrenched cloud companies on the list: viral-because-of-TikTok Notion.so, the productivity tool that’s won over high schoolers and The Wall Street Journal, appeared for the first time in our Top 64!

  • Hackers are seeing dollar signs in cryptocurrency: Binance is a March Hackness newcomer (perhaps the Saint Peter’s of surprising suspect emails??!) this year. And although they didn’t crack the Top 64, Coinbase, Metamask, Kraken, Gemini and multiple crypto exchanges were also spoofed in thousands of phishing emails.

  • By the way, Bitcoin, which doesn’t technically qualify as an organization for our bracket, still deserves its own special shot-out: hackers referenced Bitcoin in over 600,000 phishing emails last year. Actually, let’s just assume now that the crypto phishing trend has only one direction to go.

2) Which brands do people trust?Attackers know users are more inclined to open and click messages from organizations that they interact with, whether it’s for information, work or play.

In addition to leveraging the hybrid/remote workforce trend to phish users using popular cloud services, attackers also pretended to be:

  • Healthcare & Social Services: With the Covid pandemic lingering on yet another year, the World Health Organization (last year’s “ophishal champion”) and Humana both reappear in the top 64. Area 1 also blocked thousands of phishing emails pretending to be from organizations like UNICEF and the Centers for Medicare & Medicaid Services … proving that hackers are more than willing to exploit society’s most vulnerable.

  • Grocery Stores/Food & Beverage Retailers: Like 70% of U.S. households last year, my family did a LOT of online grocery shopping. In fact, over half of all shoppers (51%) started online grocery shopping after the pandemic began — and our data shows bad actors have also been happy to jump onto this bandwagon shopping cart. Area 1 intercepted millions of phishing emails spoofing grocers of all sizes, across all regions: from Fred Meyer to Amazon Fresh, to Kwik Shop to Costco, and many, many more.  [Insert bad pun about ordering ‘fish’, not ‘phish,’ here].

Who Will Cut Down the (Phishing) Nets?

We’ll reveal the March Hackness champion — the No. 1 brand used for phishing (the organization used in a whopping 15% of the overall attacks) — soon!

And, in the meantime, you might be wondering: “Why should I care? My organization has email authentication and other tools to block emails from fake senders!”

Well (unless you’re using Area 1), chances are good that brand phishing is still fouling up your organization’s inboxes.

Email authentication standards (i.e., SPF, DKIM and DMARC) can serve useful security functions such as validating server and tenant origins, protecting message integrity, and providing policy enforcement.

However, email authentication is largely ineffective against brand phishing (especially when in the form of payload-less Business Email Compromise).

We’ll dive deeper into the reasons why, after we unveil the winner of the 2022 March Hackness: The Phishing Tournament. Stay tuned here.

PS: We can’t promise our findings will be less stressful than the NCAA championship game on April 4th. But, they should be more useful than wondering what “GO VOLS! GBO!” is like in real life.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Email SecurityCloud Email SecurityPhishingSpoofing

Follow on X

Cloudflare|@cloudflare

Related posts

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...

May 30, 2024 1:00 PM

Disrupting FlyingYeti's campaign targeting Ukraine

In April and May 2024, Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine...