For Q1 2026, one cybersecurity firm’s user base metrics sieved out familiar brands that spell MAGA.

Based on its user base metrics for Q1 2026, a cybersecurity firm analyzed phishing activity trends and found that attackers continue to impersonate widely used digital services and established brands to leverage social engineering as a primary intrusion method.

The data shows a high concentration of impersonation activity focused on a small number of widely used platforms. One major provider of enterprise and cloud services accounted for a high proportion of the observed phishing attempts in the data, followed by other prominent providers across consumer devices, search, e-commerce, and professional networking. Together, the four most frequently impersonated services represented nearly half of all recorded incidents: Microsoft (22%), Apple (11%), Google (9%), Amazon (7%).

By sector, technology services remained the most targeted, followed by social media platforms, alongside financial services.

Observed campaigns during the period of data analysis highlight common tactics.

  • One example involved a counterfeit login page hosted on a deceptive web address designed to resemble a legitimate authentication portal. The page prompted users to enter credentials through a simulated login flow that ultimately failed, suggesting credential harvesting rather than genuine access.
  • In another case, attackers created a fraudulent e-commerce site mimicking a gaming platform, advertising unrealistic discounts and requiring payment via bank transfer — an established indicator of fraud.
  • A separate campaign replicated a web-based messaging interface and used QR code prompts to trick users into linking their accounts to attacker-controlled sessions, potentially enabling unauthorized access without immediate detection.
  • Phishing was also used to distribute malware. A malicious website posing as a software download portal delivered a remote access tool, allowing attackers to take control of infected systems after installation.

The findings point to two primary risks: external impersonation targeting customers and partners, and internal exposure when employees engage with fraudulent communications.

Analysts from Check Point Research, the firm that shared its Q1 user ecosystem review, note that phishing remains effective because it exploits routine user behavior and trust in familiar digital services, rather than relying solely on technical vulnerabilities.