Phishing Trends: October 2021

Published on November 17, 2021

Each month, OpenPhish analyses tens of millions of URLs to identify phishing content. This report breaks down the shifts in targeted brands, industries, and phishing infrastructure. Data for this report is generated using our Phishing Database.

October saw an increase of 38% in phishing volume over September, with the e-Commerce industry seeing a whopping 547% increase in phishing activity. Additionally, phishing URLs impersonating social networking services rose by 32% from the previous month. 65% of phishing URLs used HTTPs, a decline from 77% in September.

Top 10 Impersonated Brands

Brand Industry Hostnames
Amazon e-Commerce 7636
Facebook Social Networking 2245
Office365 Online/Cloud Service 1268
WhatsApp Social Networking 992
Outlook Online/Cloud Service 866
Tencent Online/Cloud Service 693
Crypto & Wallet Cryptocurrency 593
Webmail Providers Online/Cloud Service 468
Wells Fargo Financial 435
SMBC Financial 433

In October, we saw an 8x increase in phishing volume targeting Amazon, making it the most impersonated brand for the month. SMBC and Wells Fargo entered the top 10 list after a 3x and 1.5x increase in phishing volume, respectively. IRS and Instagram dropped from the list. Phishing volume targeting various cryptocurrency services increased by 50% month-over-month.

Top 10 Abused TLDs

TLD Type % Phishing URLs
com gTLD 36.70%
org gTLD 6.12%
cn ccTLD 5.63%
shop gTLD 4.72% ccTLD 3.99%
ru ccTLD 3.30%
net gTLD 3.23%
xyz gTLD 1.92%
app gTLD 1.66% ccTLD 1.58%

Threat actors exploited a total of 417 TLDs for phishing content, an increase of 18% in comparison to the previous month. The legacy TLDs .com, .net, and .org accounted for nearly 50% of the phishing URLs. The most commonly abused TLD remains .com

Top 10 Abused ASNs

ASN ASN Name Hostnames
AS13335 Cloudflare, Inc. 8674
AS46606 Unified Layer 2603
AS8075 Microsoft Corporation 1413
AS27647 Weebly, Inc. 1061
AS14061 DigitalOcean, LLC 1036
AS16509, Inc. 826
AS22612 Namecheap, Inc. 825
AS8100 QuadraNet Enterprises LLC 804
AS204915 Hostinger International Limited 685
AS15169 Google LLC 679

A total of 1166 ASNs hosted phishing sites, an increase of 16% in comparison to September. Cloudflare saw a 4x increase in the number of unique hostnames. QuadraNet Enterprise has the second-highest growth, with 75%. Phishing content on Amazon dropped by 10% in comparison to the previous month.