Phishing Activity in Top-level Domains (TLDs)
November 1, 2020 - January 31, 2021
We analyzed the phishing domains to see how they were distributed across the top-level domains. For our analysis, we extract the Top-level Domain (e.g., com, xyz, uk) from the hostnames we found in phishing reports. We then rank TLD operators based on the number of reported phishing domains and a metric, phishing score.
Most phishing continues to be concentrated in just a few TLDs: for the November 1, 2020 through January 31, 2021 period, we identified 494 TLDs where we observed phishing; of these we identified 121 TLDs with a minimum of 30,000 delegated domains and at least 25 reported phishing domains.
In the table below, we present the twenty TLDs that had the highest number of reported phishing domains. Four TLDs in the August to October 2020 ranking (by reported phishing domains)are legacy TLDs (com,info, net, org). Nine are country ccTLDs (tk, ml, ga, cn, cf, gq, ru, uk, cc). Seven are new TLDs (xyz, shop, top, buzz, icu, live, online).
Ranking of TLDs by Phishing Domains
(November 2020 to January 2021)
TLDs with a minimum of 30,000 domains and 25 phishing domains
| Rank | TLD | Domains in TLD | Phishing Domains ▼ | Phishing Domain Score |
| 1 | com | 151,515,643 | 57,789 | 3.8 |
| 2 | tk | 25,676,473 | 9,237 | 3.6 |
| 3 | ml | 3,709,952 | 6,327 | 17.1 |
| 4 | ga | 4,374,267 | 4,995 | 11.4 |
| 5 | xyz | 2,976,736 | 4,862 | 16.3 |
| 6 | cn | 12,790,270 | 4,651 | 3.6 |
| 7 | shop | 773,435 | 4,604 | 59.5 |
| 8 | cf | 4,091,050 | 4,562 | 11.2 |
| 9 | gq | 3,257,002 | 3,577 | 11.0 |
| 10 | info | 4,063,006 | 3,418 | 8.4 |
| 11 | net | 13,200,597 | 2,981 | 2.3 |
| 12 | top | 1,493,249 | 2,485 | 16.6 |
| 13 | ru | 4,876,678 | 2,409 | 4.9 |
| 14 | org | 10,343,838 | 2,224 | 2.2 |
| 15 | buzz | 292,949 | 2,127 | 72.6 |
| 16 | live | 392,946 | 1,895 | 48.2 |
| 17 | icu | 2,636,509 | 1,870 | 7.1 |
| 18 | uk | 10,379,665 | 1,655 | 1.6 |
| 19 | online | 1,699,318 | 1,641 | 9.7 |
| 20 | cc | 721,405 | 1,253 | 17.4 |
Two Top-level Domains with fewer than 30,000 domains have at least 25 reported phishing domains and phishing domain scores that are concerningly high given their size. The new TLD .support had 311 reported phishing domains with 27,503 gTLD registrations under management. This TLD’s phishing score of 113 is higher than the top-ranked TLD in Table 1. New TLD .ooo had 66 domains with only 9,565 gTLD registrations under management and its TLD phishing score of 69 is also higher than the top-ranked TLD in Table 1.
To allow comparison of large and small Top-level Domains, we also rank TLDs based on a metric, phishing domain score, which is calculated by dividing the number of domain names reported for phishing in a TLD by the number of domains delegated from that TLD.
TLD Phishing Score = (number of phishing domains/domains delegated from TLD) * 10,000
This score can highlight where high-volume phishers place multiple phish on one domain.
In the table below, we show the twenty TLDs that had the highest phishing domain score.
Ranking of TLDs by Phishing Domain Score
(November 2020 to January 2021)
TLDs with a minimum of 30,000 domains and 25 phishing domains
| Rank | TLD | Domains in TLD | Phishing Domains | Phishing Domain Score ▼ |
| 1 | best | 86,257 | 635 | 73.6 |
| 2 | buzz | 292,949 | 2,127 | 72.6 |
| 3 | shop | 773,435 | 4,604 | 59.5 |
| 4 | cyou | 63,895 | 372 | 58.2 |
| 5 | services | 53,522 | 274 | 51.2 |
| 6 | live | 392,946 | 1,895 | 48.2 |
| 7 | monster | 135,032 | 599 | 44.4 |
| 8 | link | 153,696 | 564 | 36.7 |
| 9 | digital | 85,587 | 234 | 27.3 |
| 10 | casa | 46,021 | 100 | 21.7 |
| 11 | cc | 721,405 | 1,253 | 17.4 |
| 12 | ml | 3,709,952 | 6,327 | 17.1 |
| 13 | top | 1,493,249 | 2,485 | 16.6 |
| 14 | 109,279 | 179 | 16.4 | |
| 15 | xyz | 2,976,736 | 4,862 | 16.3 |
| 16 | pw | 379,941 | 530 | 14.0 |
| 17 | click | 38,162 | 53 | 13.9 |
| 18 | center | 39,748 | 54 | 13.6 |
| 19 | id | 383,585 | 519 | 13.5 |
| 20 | website | 302,406 | 349 | 11.5 |