Phishing Trends: November 2021

Published on December 01, 2021

Each month, OpenPhish analyses tens of millions of URLs to identify phishing content. This report breaks down the shifts in targeted brands, industries, and phishing infrastructure. Data for this report is generated using our Phishing Database.

November saw an increase of 42% in phishing volume over October, with the cryptocurrency sector witnessing a surge of over 1000% in phishing activity. Additionally, phishing URLs impersonating email providers rose by 81% from the previous month. 56% of phishing URLs used HTTPs, a decline from 65% in October.

Top 10 Impersonated Brands

Brand Industry Hostnames
Crypto/Wallet Cryptocurrency 9183 Inc. e-Commerce 2116
Facebook, Inc. Social Networking 1955
Outlook Email Provider 1690
WhatsApp Social Networking 1527
Office365 Online/Cloud Service 1395
Webmail Providers Email Provider 667
Tencent Online/Cloud Service 606
PayPal Inc. Payment Service 449
Instagram Social Networking 360

In November, we saw a 15x increase in phishing volume targeting cryptocurrency services, making it the most impersonated brand for the month. PayPal and Instagram entered the top 10 list after a 12% increase in phishing volume on average. Wells Fargo and SMBC dropped from the list. Phishing volume targeting Outlook increased by 110% month-over-month.

Top 10 Abused TLDs

TLD Type % Phishing URLs
com gTLD 49.17%
org gTLD 5.74%
ru ccTLD 3.92%
net gTLD 3.53% ccTLD 3.25%
cn ccTLD 2.04%
app gTLD 1.96%
xyz gTLD 1.69%
id ccTLD 1.43% ccTLD 1.20%

Threat actors exploited a total of 434 TLDs for phishing content, an increase of 4% compared to the previous month. The legacy TLD .com accounted for nearly 50% of the phishing URLs. The most commonly abused TLD remains .com

Top 10 Abused ASNs

ASN ASN Name Hostnames
AS8075 Microsoft Corporation 10127
AS13335 Cloudflare, Inc. 3910
AS46606 Unified Layer 2572
AS16509, Inc. 1387
AS27647 Weebly, Inc. 1224
AS14061 DigitalOcean, LLC 1192
AS15169 Google LLC 877
AS8100 QuadraNet Enterprises LLC 804
AS54113 Fastly 765
AS22612 Namecheap, Inc. 738

A total of 1142 ASNs hosted phishing sites, a decrease of 2% in comparison to October. Microsoft saw a 6x increase in the number of unique hostnames. Amazon has the second-highest growth, with 78%. Phishing content on Cloudflare dropped by over 50% in comparison to the previous month.