The 3rd Annual March Hackness Phishing Bracket

March Madness is upon us again, which can mean only two things: lots of cinderella surprises on the basketball courts; and the release of Area 1 Security’s March Hackness Phishing Bracket that reports the brands most used by hackers as phishing lures.

This past weekend was full of upsets (I should know; I had Virginia tied up to the eventual winner) in the first rounds of the March Madness college basketball tournament. It has been an especially wild few days for the tournament. ESPN is reporting that out of 17 million brackets, zero predicted the correct result for the sweet sixteen.

While predicting college basketball winners is a tough job, predicting cyber threats doesn’t have to be. We know this because hackers remain predictable in how they breach organizations and in the methods they use to get past defenses.

Their consistent ally in this? People like you and I. And core to their methods is the notion of trust.

Who can you trust and who do you trust?

Inquiring hackers want to know — and they do know. It’s the brands we trust that hackers predictably use as phishing lures to get us to open a message, click on a link or download a file so that they can compromise our systems, networks, and data to achieve their malicious objectives. That’s why it’s phishing attacks that cause over 95 percent of cybersecurity-related data loss and financial damage.

The Top 64 Brands That Hackers Spoof

While college basketball elite 64 take to the courts for the annual March Madness competition to see who’s best, here at Area 1 Security, we’ve analyzed recent phishing attacks to identify the top 64 brands hackers are using to attack unsuspecting victims.

The results are in. We’ve seen some trends continue from past years and the addition of some new players to the field.

  • Admittedly skewed towards our sample set — but even so, U.S. brands continue to be a favorite for hackers, with 63 percent of phishing incidents involving spoofing of U.S. brands, up from 48 percent last year.
  • Financial services, previously the preferred industry for hackers to spoof, is still strong but declined from 50 percent of incidents to 44 percent. Cloud services make up a significant portion of the rest.
  • Within the sweet 16 brands spoofed by hackers, there are eight new brands, indicating a trend towards diversity in lures.
  • Most Improved Players (trusted brands to spoof) include Linkedin, Stripe, Airbnb and Craigslist, all new to the sweet sixteen.
  • Up and coming players trusted brands new to the Sweet 16 and the Top 64, include Squarespace and Dropbox.
  • Returning Most Valuable Players include Apple, Facebook, Wells Fargo, and rounding out the top four, Yahoo.
  • After losing the number one spot to Paypal last year, this year, Apple returns to the top spot for the second time.


Stop Phishing: Take Away the Element of Surprise…

The March Madness tournament is full of surprises. But our cybersecurity defenses don’t have to be. While our goal for the phishing bracket is to raise awareness and to illustrate the repetitive and predictable nature of phishing attacks, we hope that in the future this exercise will become obsolete.

Just a few months ago, in their 2018 Global Risks Landscape, the World Economic Forum ranked cyberattacks along with extreme weather events and global nuclear warfare as the biggest risks to our society. Being reactive to a clear and present risk is exactly what the attackers hope we do.

It’s time to go on the offensive with hackers and consider a new approach that effectively stops these attacks. Phishing attacks, due to their targeted nature, easily bypass existing security defenses. However, the repetitive, predictable methods attackers use to execute phishing campaigns and breach user trust remain consistent. Phishing campaigns have to begin somewhere, and they mostly rely on a trusted hook or a lure to get the user to participate. By understanding attacker methods and the infrastructure of their campaigns, it is possible to take a preemptive and an accountable approach to prevent phishing instead of continuing with today’s failing reactive approach.

Which is more than can be said for the actual tournament, where even the best teams can be surprised at times. And the coming weeks will likely throw up more cinderella surprises until the eventual winner is crowned (at this point, its Michigan all the way).

To learn more about how Area 1 Security comprehensively stops phishing before it causes damage and how we’re bringing accountability to the industry, with Pay-Per-Phish.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!



Shalabh Mohan

VP, Product at Area 1

With a career spanning 20 years fighting bad guys online, Shalabh leads all product and go-to-market functions at Area 1 Security, with extensive prior experience across security, enterprise, and cloud infrastructure companies such as Aspen Networks, IronPort Systems, Cisco and Bracket Computing. Shalabh and his teams have taken products from conception all the way to large scale businesses; and in the process have consistently helped make the Internet a safer place. An alumnus of Stanford University and the University of Texas at Austin, Shalabh holds five patents and can claim to know something about enterprise infrastructure and security.

How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.