According to the report, Microsoft remained the most impersonated brand globally, appearing in 25% of phishing attempts. Google followed at 11%, with Apple at 9%. In a notable shift, Spotify reentered the top 10 for the first time since Q4 2019, ranking fourth at 6%.

The Technology sector remained the most targeted industry, followed by Social Networks and Retail platforms.

“Cybercriminals continue to exploit the trust users place in well-known brands. The resurgence of Spotify and the surge in travel-related scams, especially in light of summer and school holiday travel in the Northern Hemisphere, show how phishing attacks are adapting to user behavior and seasonal trends. Awareness, education, and security controls remain critical to reducing the risk of compromise,” said Omer Dembinsky, data research manager at Check Point Software.

Top 10 Targeted Brands in Q2 2025

Below are the brands most frequently targeted by phishing attacks during Q2 2025:

1. Microsoft – 25%
2. Google – 11%
3. Apple – 9%
4. Spotify – 6%
5. Adobe – 4%
6. LinkedIn – 3%
7. Amazon – 2%
8. Booking – 2%
9. WhatsApp – 2%
10. Facebook – 2%

Top 10 Personalities Driving Cybersecurity Revolution in 2025

Phishing Campaign Impersonating Spotify

One of the most prominent phishing attacks this quarter targeted Spotify users. Cybercriminals created a malicious login page, which replicated the official Spotify login experience, complete with authentic branding and design. Victims were asked to enter their usernames and passwords, which were then funneled to a fake payment page that attempted to steal credit card details as well.

This campaign marks Spotify’s first reappearance in phishing top charts since Q4 2019—and underscores how entertainment services are now being exploited just as aggressively as tech platforms.

Booking.com Confirmation Scam Surge

Another major trend in Q2 was the sharp increase in Booking.com-themed phishing domains, with over 700 new domains registered using the confirmation-id****.com format. This represents a 1000% increase compared to earlier in the year.

Sample phishing domain:

Many of these domains embedded real user data, such as names and contact details, to enhance credibility and urgency. Although these sites were short-lived, they illustrate the increasing personalisation and targeting capabilities of phishing campaigns.

Industry Trends: Technology and Digital Platforms Under Siege

The Technology sector continued to dominate as the most impersonated industry in phishing attacks during Q2 2025. Tech giants like Microsoft, Google, and Apple remain prime targets due to their widespread use in authentication and productivity workflows.

Social media platforms like LinkedIn, WhatsApp, and Facebook also remained high-risk targets. The Retail and Travel sectors—including Amazon and Booking.com—were exploited by attackers seeking to capitalise on seasonal shopping and travel activity.

The Check Point Brand Phishing Ranking is published quarterly and is based on data drawn from Check Point’s ThreatCloud AI platform—the world’s largest collaborative cyber threat intelligence network. The report analyses phishing emails, fake websites, and impersonation attempts across multiple vectors.

• Check Point Research (CPR) sees a surge in malware distributed through websites appearing to be related to ChatGPT
• Since the beginning of 2023,  1 out of 25 new ChatGPT-related domain was either malicious or potentially malicious
• CPR provides examples of websites that mimic ChatGPT, intending to lure users to download malicious files, and warns users to be aware and to refrain from accessing similar websites

The age of AI – Anxiety or Aid?

In December 2022, Check Point Research (CPR) started raising concerns about ChatGPT’s implications for cybersecurity.

In its previous report, CPR put a spotlight on an increase in the trade of stolen ChatGPT Premium accounts, which enable cyber criminals to get around OpenAI’s geofencing restrictions to secure unlimited access to ChatGPT. 

A surge in cyberattacks has recently been noticed by Check Point Research, leveraging websites associated with the ChatGPT brand. These attacks involve the distribution of malware and phishing attempts through websites that appear to be related to ChatGPT. 

The firm has identified numerous campaigns that mimic the ChatGPT website with the intention of luring users into downloading malicious files or disclosing sensitive information. The frequency of these attack attempts has been steadily increasing over the past few months, with tens of thousands of attempts to access these malicious ChatGPT websites. 

Since the beginning of 2023 until the end of April, out of 13,296 new domains created related to ChatGPT or OpenAI, 1 out of every 25 new domains were either malicious or potentially malicious. 

Fake Domains

One of the most common techniques used in phishing schemes are lookalike or fake domains. Lookalike domains are designed to appear to be a legitimate or trusted domain at a casual glance. For example, instead of the email address boss@company.com, a phishing email may use boss@cornpany.com. The email substitutes ‘rn’ for ‘m’. While these emails may look authentic, they belong to a completely different domain that may be under the attacker’s control.

Phishers may also use fake but believable domains in their attacks. For example, an email claiming to be from Netflix may be from help@netflix-support.com. While this email address may seem legitimate, it is not necessarily owned by or associated with Netflix.

Here are some examples of the malicious websites we have identified:

• chat-gpt-pc.online
• chat-gpt-online-pc.com
• chatgpt4beta.com
• chatgptdetectors.com
• chat-gpt-ai-pc.info
• chat-gpt-for-windows.com

Once a victim clicks on these malicious links, they are redirected to these websites and potentially exposed to further attacks:

What to Do if You Suspect a Phishing Attack

If you suspect that a website or email may be a phishing attempt, take the following steps:

1. Don’t Reply, Click Links, or Open Attachments: Never do what a phisher wants. If there is a suspicious link, attachment, or request for a reply do not click, open, or send it.
2. Report the Email to IT or Security Team: Phishing attacks are commonly part of distributed campaigns, and just because you fell victim to the scam does not mean that everyone did. Report the email to IT or the security team immediately, so that they can start an investigation and perform damage control as quickly as possible.
3. Delete the Suspicious Email: After reporting, delete the suspicious email from your Inbox. This lessens the chance that you will accidentally click on it, without realizing it later.
4. Beware of lookalike and fake domains: Note the language, the spelling and content within the website you are clicking on. Note “small” mistakes in spelling and content that requires you to download files.

While awareness of common phishing tactics and knowledge of anti-phishing best practices is important, modern phishing attacks are sophisticated enough that some will always slip through.

Check Point Harmony Email & Office provides visibility and protection across email phishing techniques. To learn more, you’re welcome to request a free demo. 

Pre-Emptive User Protection

Check Point Anti-Phishing solutions eliminate potential threats before they reach users without affecting workflows or productivity.

• Click-time URL protection examines and blocks suspicious links in real time, removing the risk of URLs that are weaponized after the email has been sent
• Zero-day phishing protection identifies and blocks new and known phishing sites by analyzing the characteristics of the page and URL
• Eliminates risk from incoming email by inspecting all aspects of messages before they enter the mailbox, including attachments, links, and email text

To demonstrate, CPR used ChatGPT and Codex to produce malicious emails, code and a full infection chain capable of targeting people’s computers. CPR documents its correspondence in a new publication with examples of what was generated, underscoring the importance of vigilance as developing AI technologies, like ChatGPT, can change the cyber threat landscape significantly.

• CPR used ChatGPT to create a phishing email impersonating hosting company
• CPR iterated with ChatGPT to refine a phishing email to make infection chain easier
• CPR used ChatGPT to generate VBA code to embed into an Excel document

Check Point Research (CPR) used ChatGPT to create malicious phishing emails and code, in order to warn of the potential dangers that the new AI technology can have on the cyber threat landscape.

Using Open AI’s ChatGPT, CPR was able to create a phishing email, with an attached Excel document containing malicious code capable of downloading reverse shells. Reverse shell attacks aim to connect to a remote computer and redirect the input and output connections of the target system’s shell so the attacker can access it remotely. 

Steps taken with ChatGPT

1. Ask ChatGPT to impersonate a hosting company (Figure 1)
2. Ask ChatGPT to iterate again, producing a phishing email with malicious excel attachment (Figure 2)
3. Ask ChatGPT to create malicious VBA code in an Excel document (Figure 3) 

Open AI’s Codex

CPR was also able to generate malicious code using Codex. CPR asked Codex questions, including:

• Execute reverse shell script on a windows machine and connect to a specific IP address
• Check if URL is vulnerable to SQL injection by logging in as admin
• Write a python script that runs a full port scan on a target machine

Malicious code was subsequently generated by Codex.

Quote: Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software:

“ChatGPT has the potential to significantly alter the cyber threat landscape. Now anyone with minimal resources and zero knowledge in code, can easily exploit it to the detriment of his imagination.

It is easy to generate malicious emails and code. Hackers can also iterate on malicious code with ChatGPT and Codex. To warn the public, we demonstrated how easy it is to use the combination of ChatGPT and Codex to create malicious emails and code. 

I believe these AI technologies represent another step forward in the dangerous evolution of increasingly sophisticated and effective cyber capabilities. The world of cybersecurity is rapidly changing and we want to emphasize the importance of remaining vigilant as ChatGPT and Codex become more mature, as this new and developing technology can affect the threat landscape, for both good and bad.”