PayPal, Facebook, Microsoft, Netflix, and WhatsApp were the most commonly impersonated brands in phishing campaigns in the fourth quarter of 2019, a report by email security company Vade Secure has found.

The payment services provider retained its top spot from the previous quarter, according to data gleaned from the number of unique phishing URLs detected by the company. Thanks to the immediate financial payback and a pool of 305 million active users worldwide, PayPal’s continued popularity among phishers isn’t all that surprising.

PayPal-themed phishing campaigns usually target both consumers and SMB employees, with researchers pointing to an example of a recent fraudulent email that alerted users to an “unusual activity on your account”. A similar campaign was recently uncovered by ESET researchers.

Social media phishing continues to grow with Facebook taking second place on the list. Meanwhile, WhatsApp jumped a whopping 63 spots to take fifth place and Instagram surged 16 places to take the 13th spot.

WhatsApp’s meteoric rise can be chalked up to a campaign inviting recipients to a group that advertises pornographic content, said Vade Secure. It’s also worth noting that phishing scams in general increasingly pop up during major events, such as the FIFA World Cup. Other flavors include offers for bogus deals, such as free storage space.

RELATED READING: Would you get hooked by a phishing scam? Test yourself

Facebook’s constant popularity with scammers can in part be explained with its frequent use as a single sign-on option. Stolen Facebook credentials may then let attackers access other sites using the same credentials.

Microsoft remains the most popular corporate target and the third overall on the list. No wonder, since the tech giant has 200 million monthly active Office 365 business users. They prove to be attractive targets because compromising an Office 365 account leads to access to sensitive information stored on related services such as Skype, SharePoint, and OneDrive.

Last year, a widespread campaign sent fake OneDrive/SharePoint notifications that directly led to phishing pages or, alternatively, legitimate notifications that led to files containing phishing URLs. Recently, scammers have increasingly transitioned to note phishing by sending out OneNote and Evernote HTML pages.

Netflix-themed phishing scams dropped one place, ending up fourth. The 50.2 % decline in phishing URLs took the researchers by surprise, since for the previous 18 months their number showed a growing tendency.