Findings highlight identity-driven attack patterns as cybercriminals increasingly impersonate the world’s most trusted brands
Johannesburg, SA April, 2026 – Check Point Research (CPR), the
Threat Intelligence arm of Check Point® Software Technologies Ltd.
(NASDAQ: CHKP), a pioneer and global leader of cyber security solutions,
has released its Brand Phishing Ranking for Q1 2026. The latest findings
show that Microsoft remained the most impersonated brand, appearing in
22% of all phishing attempts recorded during the quarter. The results
continue to highlight a persistent trend: cybercriminals are
systematically abusing widely used enterprise, cloud, and consumer
platforms to harvest credentials and gain initial access to accounts and
corporate environments.
Apple rose to second place with 11%, followed by Google in third place
at 9%. Amazon ranked fourth with 7%, while LinkedIn climbed to fifth
place at 6%, underscoring growing attacker interest in professional
identities and workplace access. Notably, the top four brands alone
accounted for nearly 50% of all brand phishing attempts observed during
the quarter, reflecting a strong concentration around a small number of
globally trusted platforms.
By industry, the Technology sector remained the most impersonated
category, followed by Social Networks and the Banking sector,
demonstrating how identity-centric services and financial platforms
continue to be prime targets for phishing-driven attacks.
Omer Dembinsky, Data Research Manager at Check Point Research,
says:“Phishing attacks continue to evolve in both scale and
sophistication, increasingly relying on highly convincing brand
impersonation, polished user interfaces, and subtle domain manipulation.
The fact that Microsoft, Apple, and Google remain at the top of the
rankings shows how critical identity and cloud access have become for
attackers. At the same time, the rise of platforms like LinkedIn
highlights growing interest in professional and enterprise environments.
To reduce risk, organizations must adopt a prevention-first approach
that combines AI-driven threat intelligence with proactive protection
across email, web, and collaboration platforms.”
Top 10 Most Imitated Brands in Phishing – Q1 2026
- Microsoft – 22%
- Apple – 11%
- Google – 9%
- Amazon – 7%
- LinkedIn – 6%
- Dropbox – 2%
- Facebook – 2%
- WhatsApp – 1%
- Tesla – 1%
- YouTube – 1%
The continued dominance of major technology brands reflects their
essential role in identity management, productivity tools, cloud
services, and professional networking, making associated credentials
highly valuable to cybercriminals.
Phishing Campaigns Observed in Q1 2026
Microsoft: Credential Harvesting via Subdomain Abuse
In Q1 2026, CPR identified a malicious website designed to impersonate
Microsoft’s legitimate authentication service:
login[.]microsoftonline[.]com[.]office[.]sibis-office365[.]mtigroup[.]myshn[.]net
The campaign leveraged a common phishing technique in which trusted
brand names are embedded within long subdomains under unrelated parent
domains, increasing the likelihood that users overlook the full URL. The
site presented a Microsoft-branded login page and exhibited inconsistent
authentication behavior, strongly indicating a credential-harvesting
attempt.
Also read: https://brandspurng.com/2026/04/23/meet-the-10-contestants-cooking-for-glory-on-masterchef-nigeria/
PlayStation: Fake Online Store and Payment Fraud
CPR also observed a phishing website hosted at playstation-stores[.]com,
falsely presenting itself as an official PlayStation store. The site
advertised promotional discounts and allowed users to proceed through a
checkout process, ultimately instructing victims to complete payment via
direct bank transfer—an indicator of financial fraud. Multiple broken
links and redirects further signaled malicious intent.
WhatsApp: Account Takeover via QR Code Abuse
Another campaign identified during the quarter impersonated WhatsApp
Web, hosted at web[.]whatsapp[.]app[.]hl[.]cn. The phishing page closely
resembled the legitimate WhatsApp Web interface and prompted users to
scan a QR code. By doing so, victims risked linking their accounts to
attacker-controlled sessions, potentially enabling unauthorized access
to private conversations and account activity.
Adobe: Malware Distribution via Fake Software Download
In a separate incident, CPR uncovered a phishing site masquerading as
Adobe Acrobat, hosted at adobe[.]donittech[.]com/windows[.]php. The
domain, registered in November 2025, lured users into downloading a
malicious MSI file that installed ConnectWise software abused as a
Remote Access Trojan (RAT), allowing attackers to gain remote control of
infected systems.
Why Brand Phishing Is Gaining Momentum
Brand phishing continues to gain traction as cybercriminals increasingly
exploit the credibility of globally recognised digital services. By
using convincing lookalike domains, realistic login interfaces, and
multi‑step authentication flows, attackers are able to bypass user
suspicion and silently capture credentials at scale, perform financial
fraud or initiate malware infection chains.
“_This trend is being amplified by the widespread adoption of cloud
services and digital identity platforms, where a single compromised
account can provide access to email, collaboration tools, financial
data, or corporate networks. As a result, brand phishing has become one
of the most common initial access methods behind both large__‑__scale
consumer fraud and enterprise security breaches, reinforcing its growing
role in today’s threat landscape_,” says Lorna Hardie, Regional
Director: Africa, Check Point Software Technologies.
Follow Check Point on LinkedIn [1], X (formerly Twitter [2]), Facebook
[3], YouTube [4] and our blog [5].
About Check Point Research
Check Point Research provides leading cyber threat intelligence to Check
Point Software customers and the greater intelligence community. The
research team collects and analyzes global cyber-attack data stored on
ThreatCloud to keep hackers at bay, while ensuring all Check Point
products are updated with the latest protections. The research team
consists of over 100 analysts and researchers cooperating with other
security vendors, law enforcement and various CERTs.
About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. (www.checkpoint.com [6]) is a
global cyber security leader protecting more than 100,000 organizations
worldwide. Its mission is to secure enterprises’ AI transformation.
With a prevention-first approach and an open ecosystem architecture,
Check Point helps organizations block advanced threats, prioritize
exposures, and automate security operations across complex digital
environments. The unified architecture simplifies protection across
hybrid networks, multi-cloud environments, digital workspaces, and AI
systems. Structured around four strategic pillars, Hybrid Mesh Network
Security, Workspace Security, Exposure Management, and AI Security,
Check Point delivers consistent protection and visibility across
multivendor environments, enabling organizations to reduce risk, improve
efficiency, and accelerate innovation without increasing complexity.
Legal Notice Regarding Forward-Looking Statements
This press release contains forward-looking statements. Forward-looking
statements generally relate to future events or our future financial or
operating performance. Forward-looking statements in this press release
include, but are not limited to, statements related to our expectations
regarding our products and solutions, our expectations regarding future
growth, the expansion of Check Point’s industry leadership, the
enhancement of shareholder value and the delivery of an industry-leading
cyber security platform to customers worldwide. Our expectations and
beliefs regarding these matters may not materialize, and actual results
or events in the future are subject to risks and uncertainties that
could cause actual results or events to differ materially from those
projected. The forward-looking statements contained in this press
release are also subject to other risks and uncertainties, including
those more fully described in our filings with the Securities and
Exchange Commission, including our Annual Report on Form 20-F filed with
the Securities and Exchange Commission on March 17, 2025. The
forward-looking statements in this press release are based on
information available to Check Point as of the date hereof, and Check
Point disclaims any obligation to update any forward-looking statements,
except as required by law.
