Microsoft tops phishing brand rankings in first quarter

Microsoft remained the most imitated brand in phishing attacks in the first quarter of 2026, according to Check Point Research. Apple ranked second and Google third.

Microsoft accounted for 22% of all brand impersonation attempts during the quarter, while Apple made up 11% and Google 9%. Amazon placed fourth with 7%, and LinkedIn rose to fifth with 6%.

The figures show attacks concentrated around a small group of well-known platforms. The top four brands alone represented nearly half of all observed phishing attempts during the period.

Technology companies again dominated the rankings by sector, followed by social networks and banking. The pattern reflects attackers' continued focus on services tied to logins, messaging, financial accounts and everyday online activity.

The top 10 most imitated brands also included Dropbox and Facebook, each with 2%, followed by WhatsApp, Tesla and YouTube, each with 1%.

Attack patterns

Researchers identified several campaigns during the quarter that showed how phishing operations are moving beyond simple fake login pages.

One campaign used a website designed to imitate Microsoft's authentication service. The page displayed Microsoft branding and prompted users to enter an email address, then moved through what researchers described as an inconsistent login sequence with a verification code prompt and password entry before ending on a non-functional screen.

That pattern suggested a credential-harvesting operation designed to collect account details rather than complete a legitimate sign-in.

Another campaign impersonated PlayStation through a fake online shop. The site advertised discounts and low prices, let users browse products and fill a shopping basket, but directed customers at checkout to pay by direct bank transfer.

The scam also included broken links and redirects to PlayStation's legitimate website, suggesting the operators were trying to create a veneer of authenticity while collecting money directly from victims.

A separate example involved a phishing site mimicking WhatsApp Web. The page encouraged users to scan a QR code to link their device, a process that could instead connect the victim's account to an attacker-controlled session.

The report also described a malicious site posing as Adobe Acrobat. Rather than stealing credentials, the page lured users into downloading an MSI installer that deployed ConnectWise as a remote access trojan, giving attackers control of the compromised device.

Trusted names

The ranking underlines a long-running pattern in phishing campaigns: threat actors repeatedly rely on names users are most likely to recognise and trust. Brands such as Microsoft, Apple and Google sit at the centre of email, identity and device use for both consumers and corporate staff, making them frequent bait in fraudulent messages and websites.

LinkedIn's presence in the top five also reflects the value of professional identities to attackers. Access to a work-related account can provide a route to broader corporate targeting, especially where users rely on multiple linked services.

While many phishing campaigns still revolve around stolen usernames and passwords, the latest examples show a broader range of tactics. Some operations seek direct payment, some try to hijack sessions through QR code abuse, and others use fake software downloads to install malware.

Wider risks

The findings highlight two sides of brand abuse. One is the use of a company's name and image in scams aimed at its customers. The other is the use of trusted brands to deceive employees inside an organisation.

In the first case, a company may not itself be breached, yet fake domains, copied branding and fraudulent pages can still damage customer trust and expose users to theft. In the second, an employee who responds to what appears to be a familiar sign-in request can hand over credentials that give an attacker access to a business network.

Check Point Research argued that these risks are no longer confined to email and require broader monitoring across domains, applications, identities and endpoints. The examples from the quarter suggest phishing now spans credential theft, account takeover, payment fraud and malware infection.

By volume, however, attackers' preferences remain clear. Microsoft alone accounted for more than one in five brand impersonation attempts, keeping it in first place, while Apple's rise to second indicates growing attacker interest in consumer ecosystems linked to payments, identity and personal devices.

Google followed in third place at 9%, with Amazon at 7% and LinkedIn at 6%, rounding out a top five dominated by platforms that hold large amounts of user data and serve as gateways to other online services.