Phishing Activity in Top-level Domains (TLDs)
August 1 - October 31, 2020
We analyzed the phishing domains to see how they were distributed across the top-level domains. For our analysis, we extract the Top-level Domain (e.g., com, xyz, uk) from the hostnames we found in phishing reports. We then rank TLD operators based on the number of reported phishing domains and a metric, phishing score.
Most phishing continues to be concentrated in just a few TLDs: for the August-October 2020 period, we identified 113 TLDs with a minimum of 30,000 delegated domains and at least 25 reported phishing domains.
In the table below, we present the twenty TLDs that had the highest number of reported phishing domains. Four TLDs in the August to October 2020 ranking (by reported phishing domains)are legacy TLDs (com, net, org, info). Ten are country ccTLDs (tk, ml, ga, cf, gq, cn, ru, us, uk, br). Six are new TLDs (xyz, top, live, online, icu, buzz).
Ranking of TLDs by Phishing Domains (August to October 2020)
TLDs with a minimum of 30,000 domains and 25 phishing domains
| Rank | TLD | Domains in TLD | Phishing Domains ▼ | Phishing Domain Score |
| 1 | com | 150,193,669 | 47,488 | 3.2 |
| 2 | tk | 24,754,932 | 6,750 | 2.7 |
| 3 | xyz | 2,871,491 | 5,582 | 19.4 |
| 4 | ml | 3,546,423 | 5,203 | 14.7 |
| 5 | ga | 4,310,210 | 3,995 | 9.3 |
| 6 | cf | 3,956,931 | 3,607 | 9.1 |
| 7 | info | 4,188,726 | 2,942 | 7.0 |
| 8 | gq | 3,156,302 | 2,793 | 8.9 |
| 9 | net | 13,287,890 | 2,735 | 2.1 |
| 10 | top | 2,187,589 | 2,618 | 12.0 |
| 11 | cn | 14,676,961 | 2,144 | 1.5 |
| 12 | ru | 4,880,081 | 2,119 | 4.3 |
| 13 | org | 10,269,395 | 1,955 | 1.9 |
| 14 | us | 1,663,224 | 1,685 | 10.1 |
| 15 | live | 470,265 | 1,370 | 29.1 |
| 16 | uk | 10,310,868 | 1,357 | 1.3 |
| 17 | online | 1,608,039 | 1,349 | 8.4 |
| 18 | icu | 4,697,211 | 1,208 | 2.6 |
| 19 | buzz | 507,724 | 888 | 17.5 |
| 20 | br | 3,796,907 | 851 | 2.2 |
To allow comparison of large and small Top-level Domains, we also rank TLDs based on a metric, phishing domain score, which is calculated by dividing the number of domain names reported for phishing in a TLD by the number of domains delegated from that TLD.
TLD Phishing Score = (number of phishing domains/domains delegated from TLD) * 10,000
This score can highlight where high-volume phishers place multiple phish on one domain.
In the table below, we present the twenty TLDs that had the highest phishing domain score.
Ranking of TLDs by Phishing Domain Score (August to October 2020)
TLDs with a minimum of 30,000 domains and 25 phishing domains
| Rank | TLD | Domains in TLD | Phishing Domains | Phishing Domain Score ▼ |
| 1 | cyou | 35,430 | 161 | 45.4 |
| 2 | casa | 40,780 | 184 | 45.1 |
| 3 | monster | 103,171 | 458 | 44.4 |
| 4 | link | 133,799 | 404 | 30.2 |
| 5 | live | 470,265 | 1,370 | 29.1 |
| 6 | services | 50,882 | 128 | 25.2 |
| 7 | id | 366,917 | 829 | 22.6 |
| 8 | xyz | 2,871,491 | 5,582 | 19.4 |
| 9 | buzz | 507,724 | 888 | 17.5 |
| 10 | digital | 75,628 | 129 | 17.1 |
| 11 | best | 106,609 | 161 | 15.1 |
| 12 | ml | 3,546,423 | 5,203 | 14.7 |
| 13 | network | 58,638 | 79 | 13.5 |
| 14 | center | 38,916 | 49 | 12.6 |
| 15 | top | 2,187,589 | 2,618 | 12.0 |
| 16 | cam | 36,883 | 42 | 11.4 |
| 17 | cloud | 189,443 | 195 | 10.3 |
| 18 | us | 1,663,224 | 1,685 | 10.1 |
| 19 | 108,225 | 108 | 10.0 | |
| 20 | pw | 413,586 | 409 | 9.9 |