Phishing Trends: January 2022

Published on February 28, 2022

Each month, OpenPhish analyses tens of millions of URLs to identify phishing content. This report breaks down the shifts in targeted brands, industries, and phishing infrastructure. Data for this report is generated using our Phishing Database.

January saw an increase of 27% in phishing volume from December, with the Online and Cloud Services sector seeing an increase of 30% in phishing activity. 55% of phishing URLs used HTTPS, an increase from 51% in December.

Top 10 Impersonated Brands

Brand Industry Hostnames
Facebook, Inc. Social Networking 2085
WhatsApp Social Networking 1320
Office365 Online/Cloud Service 1295
Outlook Online/Cloud Service 912 Inc. e-Commerce 843
Crypto/Wallet Payment Service 747
Tencent Online/Cloud Service 497
M & T Bank Financial 418
Webmail Providers Email Provider 330
PayPal Inc. Payment Service 303

Phishing attacks targeting Tencent rose by more than 50% in January, followed by a 49% increase in attacks impersonating Microsoft products - Office365 and Outlook. Phishing targeting Amazon decreased by 42% month-over-month. There were no changes in the top 10 targeted brands between January and December.

Top 10 Abused TLDs

TLD Type % Phishing URLs
com gTLD 43.10%
app gTLD 14.15%
org gTLD 6.98%
ru ccTLD 3.03%
net gTLD 2.08%
app gTLD 2.23%
xyz gTLD 2.05%
co ccTLD 1.70%
cn ccTLD 1.43%
page gTLD 1.37%

Threat actors exploited a total of 433 TLDs for phishing content, an increase of 14% compared to the previous month. The legacy TLDs accounted for 52% of the phishing URLs. The .app gTLD saw a 7x increase in phishing content month-over-month, followed by a 2x increase for the .co ccTLD.

Top 10 Abused ASNs

ASN ASN Name Hostnames
AS54113 Fastly 6750
AS46606 Unified Layer 2500
AS13335 Cloudflare, Inc. 2029
AS27647 Weebly, Inc. 2018
AS8075 Microsoft Corporation 1948
AS15169 Google LLC 1413
AS22612 Namecheap, Inc. 729
AS14618, Inc. 504
AS8100 QuadraNet Enterprises LLC 492
AS16509, Inc. 454

A total of 979 ASNs hosted phishing sites, an increase of 2% compared to December. Fastly saw a 15x increase in the number of unique hostnames, while phishing content hosted on Google, Digital Ocean and Amazon declined by 35% on average compared to the month before.