The Fourth Annual March Hackness Phishing Bracket

By: Shalabh Mohan| @Area1Security | Area 1 Security

It’s that time of the year again: busted brackets (Marquette, here’s looking at you!), wrong picks and Cinderella stories. As spring rolls around, another exciting March Madness tournament is upon us, the ultimate college basketball tournament. Fans look forward to the entertainment of watching the games, the excitement of predicting what the winning March Madness bracket will look like, and — most importantly — bragging rights on picking the winners or the upset makers.

Here at Area 1, like most other organizations, we have an active and thriving competition ongoing (it has not been a good start for many of us, self included). Not only have we picked teams and submitted our winning bracket predictions for a company-wide competition — but we’ve also been busy collecting and analyzing phishing attacks for our fourth annual March Hackness bracket. This bracket provides critical insight into the brands that hackers most often spoof when executing phishing attacks. Attackers take advantage of trust and authenticity in their phishing campaigns; and the use of trusted brands in unique and authentic messages allows them to successfully phish organizations across the globe.

While predicting college basketball tournament winners is great entertainment, taking a chance on cyber security is a recipe for disaster. Our annual March Hackness bracket gives you unique insight into the top brands being used as phishing lures. So if you’re finding nasty imposter emails evading your defenses and landing in inboxes, we’re ready to help you close that phishing gap.

Here’s the 2019 March Hackness phishing bracket:

This year’s data shows that hackers are continuing to focus on what works — in fact, the top 64 spoofed brands account for 89 percent of spoofed phishing email!

We also find that phishing continues to be a global business, with 50 percent of attacks spoofing US companies, and brands from Europe, Canada, Asia, and South America rounding out the Top 64 spoofed brands list.

And while we see many brands returning to the Top 64 spoofed brands list, we have 29 newcomer brands, indicating that hackers are continuing to evolve and diversify their campaigns.

Cloud Services and Financial Institutions: ACC & Big 10?

With due respect to Kansas and their strong program in the Big 12, our bias is towards ACC & the Big 10 as the top two conferences in college basketball. And we see something very similar within our phishing brackets. Cloud Services and Financial Services are the veritable ACC and Big 10 of phishing; accounting for 100 percent of the trusted lures in the top 10 (60/40 split); and a significant majority across the broader bracket.

Spoofing financial companies continues to be a hacker favorite. Similar to last year, 47 percent of attacks spoofed financial brands in some way or form.

Looking at this year’s “Sweet 16,” the 16 brands most frequently spoofed by hackers, we find financial company spoofs coming on strong, with Paypal and Bank of America taking the numbers one and two spots respectively. New to both the Sweet 16 and the Top 64 this year are two international financial brands, the Canadian financial cooperative Desjardins, and the United Overseas Bank of Singapore. Even in the phishing business, global expansion is alive and well. And rounding out the list of financial institutions in this year’s Sweet 16 are Wells Fargo Bank and JP Morgan Chase.

B2B Cloud Service Providers — Perennial Favorites.

While financial institutions are hackers’ favorite brands for phishing, this year has seen a strong increase in credential harvesting attacks that spoof cloud service brands in an attempt to steal company data and information. With this increase, it’s no surprise to find that B2B cloud service leaders, including Microsoft and Dropbox, have climbed the ranks and landed on the top 10 spoofed brands list. Another B2B cloud service leader, Google, has also climbed the ranks and returned to the top 10 list of spoofed brands. Other B2B cloud service brands ascending to the most spoofed level include Adobe and DocuSign.

Who’s the Winner?

PayPal, a consistent MVP comes back to win this year’s phishing bracket. That’s not a surprise, given their strong use amongst end users and employees across the board. And if its working, why change it? Unlike perception, phishing campaigns are methodical and almost assembly line-like in nature. Anything that has proven to work consistently gets amplified and used in volumes, and that’s what we see with campaigns leveraging Paypal as the trusted lure.

If you were to extend this to the basketball world, it would indicate that the 2019 winner is from the Big 10; with Michigan as the eventual champion.

If you know me, that’s painful, since I picked Virginia in my own bracket this year. Here’s hoping for an upset. Or two.

Learn more

Placing bets on the perfect March Madness bracket is a fun national pastime. But taking a chance on cybersecurity is a recipe for data breach, financial loss, and brand damage. If you’re finding imposter emails in your inboxes, contact Area 1 Security and learn how our performance-based cybersecurity service can protect your organization from phishing attacks, the root cause of 95 percent of cyber breaches.