Whilst phishing attacks continue to become more sophisticated, it is possible, through Ermes technology, to collect data and insights on those attacks.  

In this article Ermes offers several interesting observations and insights, such as the most phished categories as well as the brands they most frequently target. 

We will also take a deeper dive into several major phishing campaigns involving Leon Bet, a very popular gambling site; Microsoft business services; and the banking industry.

Brand phishing: Ermes’ research on the most phished categories and the most phished brands

Ermes routinely monitors and analyzes emerging trends used by malicious actors to design and implement multifaceted phishing campaigns. 

In this article, Ermes shares important insights regarding the most phished brands and the most phished categories (occurring during 2021-2022) to help organizations remain better informed and vigilant. 

These insights and the results of our recent phishing observations and experiments are further developed in our last White Paper “Emerging Trends and Sophisticated Techniques Used By Attackers During 2021-2022″.

Most Phished Categories

As part of our observations, Ermes’ researchers focused on analyzing the web categories (i.e., “Banking”) most targeted by attackers. 

Using a dataset of approximately 66,000 phishing URLS —for which we also obtained the attackers’ targeted categories and brands—by combining it with a subset of 900 different western categories/brands.

The graph below shows the most phished categories for each of the first six months of 2022 as well as the six-month total for 2022 (see pink bars). 

As seen in the data visualization, the four most phished categories (in order) were: 

  • Gambling (e.g., Bet365) 
  • Productivity (e.g., Microsoft websites) 
  • Online Shopping (Amazon, Shopify, etc.)
  • Banking
Brand phishing and Most Phished Categories

While the order of most targeted categories appears to be quite expected, especially given the strategic and economical return they offer an attacker, it was a bit surprising to see Gambling ranked as the most phished category. 

While surprising, it is still relatively easy to understand. The pandemic has contributed dramatically to an increase in revenues for the gambling market over the last three years.

Attackers just follow the money. Therefore, we expect gambling and sports betting websites to continue to attract the interest of attackers for at least the next several months to come. 

We also observed a spike in the number of phishing URLs in the Gambling category for the first two months of 2022. These spikes were caused by a massive phishing campaign that targeted Leon Bet, one of the most popular sports betting platforms on the web. 

Additionally, we noticed that the number of phishing websites for each category (Gambling excluded) increased over time. 

For instance, phishing websites targeting brands in Productivity and Online Shopping categories have more than doubled in the first two quarters of 2022. This is completely in line with the global growing trends of phishing.

Brand phishing

Using the same dataset, we analyzed the specific brands targeted by attackers. 

As might be expected, the gambling site Leon Bet was the most targeted brand in January and February 2022. 

To gain a further understanding of current phishing trends, we reviewed and analyzed our data to provide some details related to three major phishing campaigns. 

Together with the other large gambling site, Bet365 (which ranked third in the most phished brands), they were largely responsible for making Gambling the most phished category. 

Following Leon Bet were websites belonging to Microsoft business products. These websites included SharePoint, OneDrive, Microsoft365, etc. 

We also observed phishing URLs targeting several Apple products with mostly iCloud sign-in pages. It is also interesting that GitHub ranked as one of the most phished brands. 

We believe GitHub and other code-sharing platforms might be attracting bad actors interested in implementing more complex attacks involving software suppliers.

Digging Further into Phishing Campaigns

To gain a further understanding, we reviewed and analyzed our data to provide some details regarding three major phishing campaigns.


When evaluating Leon Bet campaigns, we observe more than 25,000 different phishing URLs. The vast majority of these were structured with 7 to 8 numbers followed by “.win” and “.vip” TLDs (e.g., 9997798[.]vip, 9999961[.]win).

All these domains had been registered with the registrar Namecheap Inc. The information provided by the registrar indicated that these domains were headquartered in Iceland, but this is almost certainly untrue. The remaining phishing URLs (about 100) were registered at Dynadot, LLC (e.g., xn——6cdb0awaegcpfxfjck1bqfas1b3cwiza2h[.]top, zerkalo-leonbets10[.]top).


In our analysis, we identified about 4,000 phishing URLs targeting services from Microsoft. We observed no campaigns with uniquely distinctive attributes. In fact, phishing domains were distributed across different registrars.

Also, the phishing pages presented different features which were difficult to cluster together. This means that Microsoft might be a target of micro-phishing campaigns involving a few spot domains. For example, domains observed in this grouping included microsoftupdate[.]cf, microsoft-remont-nn[.]ru/, and login-microsoft.commonosft[.]com.


We found 2,800 different phishing URLs targeting banks and financial institutions. The 20 most targeted banks by phishers worldwide are shown in the graph below. The distribution aligns with the popularity of the banks we reviewed in the most phished brands.

Brand phishing: Banking graph

Brand phishing : Early Detection is Key

Fast detection of phishing threats is key to thwarting attackers before they are successful in achieving their malicious intents. Many phishing pages are highly targeted and designed to be dismantled as soon as they achieve their objective. 

Right now, the “golden hours” of phishing pages (the time between the first visit and the time and of detection) currently averages about 9 hours.

 Also, the timespan between the first victim visit to the page and the last victim visit is approximately 21 hours.

In general, Ermes For Enterprise is much quicker than its direct competitors at detecting phishing URLs. This can be seen at Ermes Live Report, where we report a sample of freshly discovered phishing pages not implementing any cloaking, making it easy to check for related information. 

For each phishing URL listed, we report the time at which it was discovered (and blocked) by Ermes. We also indicate the time at which it was discovered by other competitors (if any). Along with this, we show the time at which the phishing page or entire domain was taken down by the hosting platform or DNS provider. 

By analyzing our dataset consisting of hundreds of phishing URLs, we observed a detection delay among our competitors averaging 12.3 hours. Also, 30% of these phishing URLs were detected by our competitors more than 16 hours after discovery by Ermes. For clarity, a detection delay is the time interval between Ermes detection of a phishing URL and detection by a competitor.