Microsoft is the most impersonated brand worldwide, according to Check Point Research (CPR), the threat intelligence division of Check Point Software Technologies.
Check Point’s Brand Phishing Ranking for Q4 2025 said Microsoft accounted for 22 percent of all phishing attempts during the quarter, continuing a consistent trend of attackers targeting widely used enterprise and consumer platforms to steal credentials and gain unauthorized access.
Following Microsoft, Google and Amazon were the second and third most impersonated brands, representing 13 percent and 9 percent of phishing attacks respectively. Amazon’s surge in phishing activity was largely attributed to Black Friday and the holiday shopping season.
Notably, Facebook (Meta) re-entered the global top 10 for the first time in several quarters, ranking fifth, reflecting increased interest from cybercriminals in social-media account takeovers and identity theft.
Omer Dembinsky, Data Research Manager at Check Point Research, commented, “Phishing campaigns are becoming increasingly sophisticated, using polished visuals, AI-generated content, and convincing domain lookalikes. The continued targeting of Microsoft and Google demonstrates the high value of identity-based access.”
“The return of brands like Facebook and PayPal underscores how quickly attackers adapt, focusing on platforms where trust and urgency can be exploited. Organizations must adopt a prevention-first approach that combines AI-driven detection, strong authentication, and continuous user awareness to counter these threats,” Omer Dembinsky said.
Top 10 Most Imitated Brands in Q4 2025:
Microsoft – 22%
Google – 13%
Amazon – 9%
Apple – 8%
Facebook (Meta) – 3%
PayPal – 2%
Adobe – 2%
Booking – 2%
DHL – 1%
LinkedIn – 1%
The report also highlighted emerging phishing campaigns targeting specific audiences. CPR identified a Roblox-themed phishing attack using a lookalike domain robiox[.]com[.]af. The site presented a fake Roblox game, “SKIBIDI Steal a Brainrot,” redirecting users to a fraudulent login page designed to harvest credentials from children and gamers.
Netflix users were targeted with an account-recovery phishing site hosted at netflix-account-recovery[.]com. The page mimicked the official Netflix login interface to capture email addresses, mobile numbers, and passwords for potential account takeover.
Additionally, a Facebook (Meta) phishing campaign delivered emails in Spanish, directing users to a fake login page hosted on facebook-cm[.]github[.]io, where attackers harvested credentials to enable unauthorized access and downstream misuse.
Why Brand Phishing Remains Effective:
Subtle lookalike domains designed to trick users
Professionally replicated login pages and interfaces
Multi-stage deception paths appearing legitimate
Exploitation of emotional triggers such as urgency and brand trust
As digital identities become increasingly central in cloud-driven environments, brand phishing continues to be a key method for cybercriminals to gain initial access for consumer fraud and enterprise breaches.
RAJANI BABURAJAN
