An analytical ranking of the brands most frequently impersonated by scammers in 2026 — based on domain registrations, FTC complaint data, and consumer impact patterns.
Brand impersonation has become the dominant fraud strategy across multiple categories — accounting for 67% of phishing operations, 58% of shopping fraud, and 41% of overall consumer fraud reports in 2025. The pattern is concentrated, not distributed. The top 50 most-impersonated brands account for an estimated 73% of all brand-impersonation fraud despite representing fewer than 0.001% of registered businesses.
The concentration reflects rational fraudster economics. Brand recognition serves as initial credibility for fraud attempts — recipients are more likely to trust an "email from Amazon" than an email from an unfamiliar retailer. The same recognition that drives legitimate commercial success drives fraud targeting.
This ranking combines four data sources to produce a composite picture of brand-impersonation risk:
Composite scores weight these sources to produce comparable rankings across categories. Brands appearing in multiple data sources at high volume rank highest. The ranking reflects 2025 calendar year data with January 2026 verification.
The most-targeted brands in 2025 reflect consumer reach, transaction value, and credential value:
| Rank | Brand | Primary Attack Type | Active Lookalike Domains (est.) |
|---|---|---|---|
| 1 | Amazon | Order verification, lookalike shopping, account takeover | ~8,400 |
| 2 | Microsoft | Office 365 password expiration, account suspension | ~6,800 |
| 3 | Apple | iCloud verification, Apple ID phishing | ~5,200 |
| 4 | PayPal | Account limitation, fund recovery | ~4,900 |
| 5 | Netflix | Payment failure, subscription verification | ~3,700 |
| 6 | Drive sharing, account security | ~3,400 | |
| 7 | USPS | Package delivery, redelivery fees | ~3,200 |
| 8 | Walmart | Order issues, lookalike shopping | ~2,900 |
| 9 | Nike | Lookalike shopping, counterfeit goods | ~3,200 |
| 10 | Bank of America | Account verification, fraud alerts | ~2,600 |
The composition reveals strategic patterns. Technology platforms (Amazon, Microsoft, Apple, Google) dominate because their universal reach means high baseline relevance for any mass campaign. Financial platforms (PayPal, Bank of America) attract fraudsters seeking direct monetary access. Shipping (USPS) provides the package-delivery scam infrastructure that has grown rapidly with SMS phishing.
| Rank | Brand | Primary Attack Type |
|---|---|---|
| 11 | Costco | Membership renewal, lookalike shopping |
| 12 | FedEx | Package delivery scams |
| 13 | Chase Bank | Account verification, fraud alerts |
| 14 | Target | Lookalike shopping, gift card scams |
| 15 | UPS | Package delivery scams |
| 16 | Wells Fargo | Account verification, transfer fraud |
| 17 | Best Buy | Tech product scams, lookalike shopping |
| 18 | eBay | Account takeover, fake listings |
| 19 | Facebook/Meta | Account verification, ad payment phishing |
| 20 | Account verification, copyright phishing | |
| 21 | Adidas | Lookalike shopping, counterfeit goods |
| 22 | Lululemon | Lookalike shopping |
| 23 | IRS | Refund scams, tax debt impersonation |
| 24 | Social Security Admin | Benefit suspension, verification scams |
| 25 | Coach | Counterfeit goods, lookalike shopping |
| Rank | Brand | Category |
|---|---|---|
| 26 | Spotify | Subscription/payment scams |
| 27 | Disney+ | Subscription verification |
| 28 | HBO Max | Subscription verification |
| 29 | Verizon | Account/billing scams |
| 30 | AT&T | Account/billing scams |
| 31 | T-Mobile | Account/billing scams |
| 32 | Capital One | Credit card fraud, account verification |
| 33 | Citibank | Account verification |
| 34 | Discover | Credit card fraud alerts |
| 35 | American Express | Account verification, rewards scams |
| 36 | Yeti | Lookalike shopping (trending products) |
| 37 | Stanley | Lookalike shopping (viral demand) |
| 38 | LEGO | Holiday lookalike shopping |
| 39 | Sephora | Lookalike shopping, beauty fraud |
| 40 | Ulta | Lookalike shopping, beauty fraud |
| 41 | Macy's | "Closing sale" liquidation scams |
| 42 | JCPenney | "Closing sale" liquidation scams |
| 43 | Kohl's | Lookalike shopping |
| 44 | Home Depot | Lookalike shopping, gift card scams |
| 45 | Lowe's | Lookalike shopping |
| 46 | StockX | Sneaker fraud, fake authenticity |
| 47 | Etsy | Counterfeit handmade goods |
| 48 | Cash App | P2P scams, fake support |
| 49 | Venmo | P2P scams, fake support |
| 50 | Zelle | P2P scams, fake support |
The 50-brand ranking reveals consistent patterns when grouped by category:
| Category | Brands In Top 50 | Combined Estimated Share Of Brand Fraud |
|---|---|---|
| Technology platforms | 6 (Amazon, Microsoft, Apple, Google, Facebook, Instagram) | ~31% |
| Major retailers | 11 | ~16% |
| Banks and financial services | 8 | ~14% |
| Shipping/delivery | 3 (USPS, FedEx, UPS) | ~9% |
| Streaming/subscription services | 5 | ~6% |
| Premium brands | 8 | ~7% |
| Government agencies | 2 (IRS, SSA) | ~3% |
| Telecommunications | 3 | ~3% |
| P2P payment platforms | 3 (Cash App, Venmo, Zelle) | ~2% |
| Trending product brands | 3 (Stanley, Yeti, LEGO) | ~2% |
Technology platform concentration (31% of brand fraud across just 6 brands) reflects two reinforcing factors: universal user reach (virtually all U.S. adults have accounts with these services) and high credential value (compromised tech platform accounts enable subsequent fraud).
The composition isn't accidental. Fraudsters optimize brand selection based on three factors:
Recognition reach. Brand familiarity provides initial credibility. The more recipients who genuinely have accounts or relationships with a brand, the higher mass-campaign relevance. Technology platforms with hundreds of millions of users dominate for this reason.
Transaction value capacity. Brands enabling high-value transactions (banks, premium retailers, payment platforms) attract fraud despite lower user counts. A bank impersonation campaign with 5,000 victims can extract more total fraud than a technology platform impersonation with 50,000 victims.
Credential reuse value. Compromising accounts on certain brands (Amazon, Apple, Google) enables broad subsequent fraud due to credential reuse, stored payment information, and connected services. This creates "force multiplier" attractiveness for technology platform impersonation.
The data also reveals defensive implications. Brands appearing repeatedly in the top 50 have demonstrated either insufficient anti-impersonation infrastructure or unwillingness to invest in it. Several brands (notably some major retailers and payment platforms) have publicly reported brand-impersonation domains for years without meaningful reduction in operation.
The concentration data has consumer-protection implications:
Account hygiene for the top 50 brands matters disproportionately. If 73% of brand-impersonation fraud targets these 50 brands, account-protective practices (unique passwords, two-factor authentication, regular monitoring) on these specific accounts deliver disproportionate protection value.
Brand category awareness improves detection. Knowing that bank fraud, package delivery fraud, and technology platform fraud are concentrated patterns means consumers can apply elevated scrutiny to communications claiming to be from these categories specifically.
Subscription service impersonation is undercovered. Streaming services (Netflix, Spotify, Disney+, HBO Max) appear in the top 50 with relatively low awareness compared to their fraud volume. The "payment failure" pretext is highly effective and consumers often don't realize subscription scam emails are a distinct category.
Premium brand luxury fraud requires special caution during Q4. Coach, Lululemon, designer brands, and similar premium retailers appear in the rankings primarily through holiday-season lookalike operations. Off-season fraud against these brands is lower-volume than holiday targeting.
Amazon ranks as the most-impersonated brand globally with approximately 8,400 active lookalike domains identified in 2025. The combination of universal user reach (most U.S. adults have Amazon accounts), high stored payment information value, and credential reuse value across other services makes Amazon impersonation particularly attractive to fraud operations. Order verification phishing and lookalike shopping sites dominate Amazon-themed fraud.
Domain registrar data shows approximately 47,000 new lookalike-style domains registered monthly in 2025 across all brands. The top 10 most-impersonated brands (Amazon, Microsoft, Apple, PayPal, Netflix, Google, USPS, Walmart, Nike, Bank of America) account for over 44,000 active lookalike domains combined. The category has grown nearly 4x from 2020 levels.
Three reinforcing factors: universal user reach (virtually all U.S. adults have accounts with Microsoft, Amazon, Apple, Google, etc.), high credential value (compromised tech platform accounts enable subsequent fraud across many connected services), and stored payment information that converts directly to fraudulent purchases. The 6 major technology platforms in the top 50 generate approximately 31% of all brand-impersonation fraud.
Package delivery scams (SMS-based 'redelivery fee' messages claiming USPS, FedEx, or UPS authority) exploit a consistent psychological pattern: most consumers have packages in transit at any given time, creating high baseline relevance. USPS impersonation alone accounts for ~3,200 active lookalike domains and is the dominant SMS phishing pattern (34% of all smishing reports in 2025). The small fee amounts ($2.99-$5.99) defeat suspicion thresholds while capturing credit card information for subsequent fraud.
Premium brand impersonation concentrates in: Nike (rank 9), Adidas (rank 21), Lululemon (rank 22), Coach (rank 25), and various designer brands appearing in holiday-specific operations. Luxury impersonation typically operates through lookalike shopping sites offering 70-95% discounts on premium products. The volume increases substantially during Q4 holiday shopping periods. Premium brands rarely authorize discounts above 30-40% off retail, making these deep discount offers reliable fraud signals.
Yes — Cash App (rank 48), Venmo (rank 49), and Zelle (rank 50) all appear in the top 50 most-impersonated brands. The patterns differ from traditional brand impersonation: P2P fraud typically involves impersonating customer support staff rather than the platforms' login pages. Fake 'Cash App support' calls and texts target users seeking help with legitimate issues, then route them through credential capture or direct payment fraud.
Five streaming services appear in the top 50: Netflix (rank 5), Spotify (rank 26), Disney+ (rank 27), HBO Max (rank 28), and others. The dominant pattern is 'payment failure' phishing — emails claiming subscription billing issues that require credential or payment information updates. The pattern is effective because most recipients have subscription services and payment failure scenarios are plausible. Subscription scam awareness is lower than other phishing categories despite substantial fraud volume.
The IRS (rank 23) and Social Security Administration (rank 24) appear in the top 50 government-agency impersonation operations. IRS-themed fraud targets tax debt anxiety and refund expectations. SSA-themed fraud often involves 'benefit suspension' threats targeting older demographics specifically. Neither agency initiates communication via phone or SMS for these scenarios — making any such communication a reliable fraud signal.
Macy's (rank 41), JCPenney (rank 42), and other major retailers appear in fraud rankings primarily through 'closing sale' and 'liquidation' impersonation. The pattern exploits real recent retail closures (Bed Bath & Beyond's 2024 closure created cover for similar claims about other retailers). Consumer awareness that retail closures genuinely occur makes 'closing sale' claims plausible even when the named retailer is operating normally. This pattern peaks in Q4 holiday shopping periods.
Targeting infrastructure varies by demographic. Older adults (50+) face heavier targeting from: Medicare/SSA impersonation, tech support 'computer issues' scams, traditional bank phishing, and grandchild emergency scams. Younger adults face heavier targeting from: P2P platform impersonation (Cash App, Venmo), streaming service phishing, e-commerce account takeover, and social media platform impersonation. Both demographics share heavy targeting from major retailer and shipping platform impersonation.
Stanley (rank 37), Yeti (rank 36), and LEGO (rank 38) represent the 'trending product' category of brand impersonation. These brands experience concentrated lookalike operations during periods when specific products are sold out at legitimate retailers. The 'sold out elsewhere' pattern exploits legitimate retailer out-of-stock messages as unintentional verification. 2025 fraud against these three brands alone generated $98 million in reported holiday-period losses.
The 73% concentration in 50 brands has defensive implications: account-protective practices (unique passwords, two-factor authentication, regular monitoring) on these specific accounts deliver disproportionate protection value. Brand category awareness improves detection — knowing that bank fraud, package delivery fraud, and technology platform fraud are concentrated patterns enables elevated scrutiny for communications claiming to be from these specific categories. Subscription service impersonation is particularly undercovered relative to its fraud volume.