Facebook was the No. 1 impersonated brand used in phishing attacks in 2021, according to cybersecurity firm Vade. Pictured: Paper circles with the Facebook logo are displayed during the F8 Facebook Developers conference on April 30, 2019, in San Jose, Calif. (Photo by Justin Sullivan/Getty Images)

The "Phishers' Favorites" report released by Vade on Thursday found that Facebook (now Meta) was the No. 1 impersonated brand in 2021, representing 14% of all phishing pages, followed by Microsoft with 13%.

The report also found that Microsoft was the No. 1 most impersonated cloud brand. Vade researchers said Microsoft phishing attacks sharply increased in sophistication in 2021, with a June attack leveraging automation to populate corporate logos and branding onto Microsoft 365 phishing pages. 

On the vertical sector front, financial services was the most impersonated industry of 2021, with six brands in the Top 20 that represented 35% of all phishing pages. Chase, PayPal, and Wells Fargo were the most impersonated financial services brands. Other important findings:

  • Mondays and Tuesdays are the top days for phishing.
  • 78% of phishing attacks occur on weekdays.
  • Monday and Thursday are the top days for Facebook phishing.
  • Thursday and Friday are the top days for Microsoft phishing.

Organizations and employees are bombarded with phishing emails, some which clearly evade email security, explained Saryu Nayyar, founder and CEO of Gurucul. Nayyar said with the sophistication and deceptions used by threat actors, invariably someone will click on one of these emails, compromising an organization.

“The goal of many of these attacks is to either steal credentials or establish a footprint to begin an attack campaign for data theft, disruption or ransomware detonation," Nayyar said. “Because of this, many CSO's understand that the initial compromise is almost inevitable and we are seeing a shift from evaluation and investment in preventive measures to a larger focus on threat detection and incident response.”

George McGregor, vice president at Approov, pointed out that all of these brands are also heavily dependent on mobile apps. McGregor said cloned and modified apps are increasingly being used as an attack vector with fake or modified apps used to steal consumer data and divert transactions.

“The phishing problem is no longer only about fake web-pages, and it’s imperative that security teams evaluate and reinforce the protection of their mobile apps against cloning and manipulation,” McGregor said.

Patrick Harr, CEO of SlashNext, said Vade’s data runs in line with what his team has been seeing. However, Harr said SlashNext’s threat lab has seen more targets to Microsoft products vs. Facebook, having seen a 57% increase from Q4 2021 to the first months of 2022.

“The interesting point about the times of the week is all about the cybercriminal,” Harr said. “They work much like enterprises, working Monday to Friday, taking the weekends off. Our threat labs see phishing start to ramp up on Sundays in the U.S. because this is Monday morning in other parts of the world where much of the cyberattacks originate. It peaks on Monday and Tuesday and begins to taper off towards the end of the week.”

Hank Schless, senior manager, security solutions at Lookout, added that social engineering remains one of the biggest headaches that IT and security teams have to deal with. Schless said organizations need to implement a security strategy that protects users, devices, and data from the individual endpoint up to the cloud.  

“These phishing attacks are particularly effective on mobile devices,” Schless said. “That's because smartphones and tablets have simplified interfaces that hide many red flags indicative of phishing attacks. They can also deliver phishing links through email, SMS, social media platforms, third-party messaging apps, gaming and even dating apps.”