Shalabh Mohan | Area 1 Security | @area1security

Tar Heels or the Wildcats. One of them is the likely winner of this year’s NCAA tournament (with due apologies to Michigan State & University of Virginia fans; those two upsets destroyed my own personal bracket earlier this month).

While the collective zeitgeist is focused on the ups and downs of NCAA’s March Madness, we decided to do our own bracket related to something less fun than basketball but still a watercooler conversation topic — cybersecurity. We went through millions of attack records from 2016 within our dataset to come up with the perfect phishing bracket for this year. Phishing is the primary cybersecurity attack risk (source: Verizon Report) and attackers have their own version of a brand leaderboard to target unsuspecting individuals, employees, and through them, the organizations which they are associated with.

Although the majority of us might quickly scan through the above 64-brand bracket, entirely unsurprised but still relatively pleased that our organization is not listed, we are not quite in the clear.

Not even close, actually.

Predictably, large conglomerates with enormous amounts of consumer accounts (read: financial institutions and cloud services) are the topmost phishing lures. But what does that actually mean for them, and more importantly, what does that mean for us?

A “phished brand” is a brand that cybercriminals imitate in malicious cyber campaigns; so in essence, the brand is the bait for the phishing scam. While this is certainly detrimental to the brand, with damages extending far beyond the actual data loss and remediation costs, the phished brand is not the only victim in this scenario.

Analogous to real fishing, where the bait does not exactly triumph, the brand is just a vehicle by which to “catch” the true target: the fish. This is where unsuspecting and harmless employees of an organization come into play.

We are the fish. Small fish that is.

Small fish we may be, but the companies we work for are the true big fish the attackers are after. Motivations vary from data and intellectual property theft, financial account access, corporate M&A activity to corporate espionage; to just name a few. But make no mistake — they are coming after us. Constantly. Cybercriminals are unbiased and will prey on victims across all verticals, sizes, and countries.

Analyzing the full bracket above, we see similarities with a Pareto distribution wherein these top 64 brands accounted for 70% of all phishes seen during the analysis period. These attackers are exploiting our inherently trusting nature. They are disguising malicious emails and links as legitimate communications from trusted brands. The top 64 brands. People trust Apple and Wells Fargo.

Furthermore, and to nobody’s surprise, US companies are the most targeted phishing lures. More surprising, however, the USA is also the majority source (62%) of all phishing URLs. Where an attack is coming from matters much more than you think, as it allows us to create better defenses against such attacks.

Now, let’s see who made it to the Sweet Sixteen and the Phinal Phour: