Check Point Data Shows Microsoft Remains the Most Imitated Brand in Phishing
In Q4 2025, Microsoft was once again the most impersonated brand in phishing attacks, accounting for 22% of all brand phishing activity tracked by Check Point Research. The ranking continues a multi-quarter pattern in which attackers consistently target platforms that sit at the centre of identity and access workflows.
Google followed with 13%, while Amazon rose to third place at 9%, driven by increased activity around Black Friday and the year-end shopping period. Apple ranked fourth at 8%.
The same brands have appeared near the top of phishing rankings for several consecutive quarters, reflecting how widely their credentials are used across work, commerce, and consumer services.
Technology Brands Remain the Primary Target
By industry, the Technology sector continued to account for the largest share of brand phishing campaigns in Q4. The focus aligns with attackers’ preference for credentials that can provide access to cloud services, productivity tools, and identity platforms used across multiple organisations.
Social Networks ranked second, driven in part by renewed phishing activity linked to Facebook, which returned to the top ten brands after a prolonged absence. Financial Services followed, reflecting ongoing attempts to harvest credentials for direct fraud and payment abuse.
The Top Imitated Brands in Q4 2025
According to Check Point Research, the ten most impersonated brands during the quarter were:
Microsoft (22%)
Google (13%)
Amazon (9%)
Apple (8%)
Facebook (Meta) (3%)
PayPal (2%)
Adobe (2%)
Booking (2%)
DHL (1%)
LinkedIn (1%)
The concentration reflects how a small number of platforms now anchor authentication and account recovery for large parts of the internet.
Phishing Campaigns Observed During the Quarter
Several campaigns identified in Q4 illustrate how closely phishing pages now replicate legitimate services.
One campaign targeted Roblox, using a lookalike domain created through a subtle letter substitution. The site hosted a fake game page designed to resemble popular Roblox content, complete with visuals, ratings, and a “Play” button. Users attempting to access the game were redirected to a cloned Roblox login page, where credentials were captured without visible errors or warnings.
Another campaign impersonated Netflix using an account-recovery theme. The phishing page closely mirrored Netflix’s official recovery interface and prompted users to enter email addresses, phone numbers, and passwords. The domain used in the attack was registered in 2025, in contrast to Netflix’s long-established official domain.
Check Point Research also observed a Facebook-themed phishing page delivered via email and hosted on GitHub Pages. The page was presented entirely in Spanish and replicated Facebook’s login flow, collecting email addresses, phone numbers, and passwords for account takeover.
Why Brand Phishing Persists
As more services rely on shared login systems, phishing campaigns increasingly focus on those entry points. Attackers continue to invest in realistic design, localised language, and multi-step authentication flows that resemble legitimate user experiences.
The result is a steady concentration of phishing activity around a small group of brands whose credentials unlock access to multiple services — a pattern that has remained consistent across recent quarters.