Apple rose to second place with 11 percent, followed by Google in third place with 9 percent. Amazon ranked fourth and LinkedIn climbed to fifth place, indicating a growing interest from attackers in professional identities and access to work environments. Notably, the top four brands together represent nearly 50 percent of all phishing attempts, showing a strong concentration around a small number of globally trusted platforms.
The technology sector remains the most imitated, followed by social networks and the banking sector. This shows that identity-oriented services and financial platforms continue to be important targets for phishing attacks.
Top 10 most imitated brands – Q1 2026
- Microsoft – 22 percent
- Apple – 11 percent
- Google – 9 percent
- Amazon – 7 percent
- LinkedIn – 6 percent
- Dropbox – 2 percent
- Facebook – 2 percent
- WhatsApp – 1 percent
- Tesla – 1 percent
- YouTube – 1 percent
The ongoing dominance of major technology brands reflects their essential role in identity management, productivity tools, cloud services, and professional networks, making the associated login credentials particularly valuable to cybercriminals.
Observed phishing campaigns in the first quarter of 2026
Microsoft: collecting login credentials through subdomain abuse
CPR identified a malicious website posing as Microsoft's legitimate authentication service. The campaign employed a common phishing technique where trusted brand names are incorporated into long subdomains under unrelated main domains. This increases the likelihood that users overlook the full URL. The site displayed a login page with the Microsoft logo and exhibited inconsistent authentication behavior, strongly indicating an attempt to collect login credentials.
PlayStation: fake webshop and payment fraud
CPR also found a phishing website hosted on playstation-stores[.]com, posing as an official PlayStation store. The site offered discounts and led users through a purchase process, after which victims were asked to pay via a direct bank transfer: an indication of financial fraud. Multiple broken links and redirects also pointed to malicious intent.
WhatsApp: account takeover via QR code abuse
Another phishing campaign posed as WhatsApp Web. The phishing page closely resembled the real WhatsApp interface and asked users to scan a QR code. By doing so, victims risked linking their accounts to sessions controlled by attackers, allowing unauthorized access to conversations and account activities.
Adobe: spreading malware via fake software
CPR also discovered a phishing website posing as Adobe Acrobat. Users were lured into downloading a malicious installation file that installed software misused as a Remote Access Trojan (RAT), giving attackers remote control over infected systems.
Brand phishing is becoming more popular
Brand phishing is gaining popularity as cybercriminals increasingly exploit the credibility of globally recognized digital services. By using convincing lookalike domains, realistic login interfaces, and multi-step authentication processes, attackers can bypass user distrust and collect login credentials on a large scale, commit financial fraud, or initiate malware infections.
This trend is reinforced by the widespread adoption of cloud services and digital identity platforms, where a single compromised account can provide access to email, collaboration tools, financial data, or corporate networks. As a result, brand phishing has become one of the most common initial access methods behind both large-scale consumer fraud and data breaches within organizations.
"Phishing attacks continue to evolve in both scale and complexity, increasingly leveraging highly convincing brand imitations, polished user interfaces, and subtle manipulation of domain names. That Microsoft, Apple, and Google remain at the top shows how crucial identity and cloud access have become for attackers. At the same time, the rise of platforms like LinkedIn highlights the growing interest in professional and corporate environments," says Omer Dembinsky, Data Research Manager at Check Point Research. "To reduce risks, organizations need to adopt a 'prevention-first' approach that combines AI-driven threat intelligence with proactive protection of email, web, and collaboration platforms."
