Phishing
Phishing – Why Should We Still Care When 2025 Is Full of New Threats?
The year 2025 is a real show of force for cybercriminals, who are constantly pulling out new tools and spectacular vulnerabilities from their sleeves. Just look at a few examples of attacks and zero-day vulnerabilities:
- RansomHub – a ransomware group that carried out high-profile attacks on healthcare and education companies in 2025, encrypting data and threatening to publish stolen information.
- QakBot is back – Following last year’s FBI operation, the QakBot malware returned in 2025 in a new version, spread via infected LinkedIn webpage.
- Zero-day in ConnectWise ScreenConnect (CVE-2024-1709) – a vulnerability allowing takeover of the ScreenConnect server without authorization, widely exploited still in 2025.
- Zero-day in Palo Alto PAN-OS (CVE-2024-3400) – a critical vulnerability in network firewalls, used for remote code execution.
As you can see, the world in 2025 is burning with malware and new exploits, yet phishing still reigns as the number one method. Why? Because it is:
- easy to implement,
- cheap,
- difficult to completely block,
- and – most importantly – works on virtually anyone who clicks on the wrong link even once.
According to the FBI’s IC3 report for 2024, phishing was still the most frequently reported cybercrime in the US, ahead of ransomware and business account theft.
In other words – even if hackers have zero-days and the latest RATs, the first step in an attack is often an email or text message that looks too real to ignore.
Looking at the numbers, it doesn’t look good:
Number of phishing reports: 298,878 (the most of all categories).
Total losses from BEC (which often starts with phishing): $2.9 billion in the US alone.
Average 5 million unique phishing attacks per quarter (a record high).
Most frequently attacked industries: SaaS/Webmail, financial services, social media.
36% of all data breaches started with phishing.
The use of generative AI increased the effectiveness of spear phishing by several percent.
Expected annual growth of phishing costs globally: 12–14% year-on-year.
What are the types of phishing?
We already know why we should still be careful with phishing, but phishing has many names. Here are the most popular variants:
- Classic phishing – mass email campaigns in which a well-known brand is impersonated (e.g. bank, Microsoft, DHL) and encourages you to click on a link or download an attachment.
- Spear phishing – targeted attacks on a specific person or company. Here, attackers prepare a message based on knowledge of the context: names, projects, internal names.
- Business Email Compromise (BEC) – CEO fraud (“pretexting”), in which cybercriminals impersonate a board member and encourage you to make an urgent transfer.
- Smishing – SMS phishing. A short message with a link, e.g. to an alleged shipment or blocking of a bank account.
- Vishing – voice phishing, i.e. a telephone conversation with the “bank” or “police”.
- Phishing on social media – links sent via messengers, fake profiles, posts in thematic groups.
How do new phishing campaigns come about?
Cybercriminals are adapting their tactics faster than companies can keep up with spam filter updates. They are increasingly using automation, which allows bots to generate personalized emails in thousands of variants simultaneously. Generative AI is also added to this – phishing content is now written in natural language, without typos, strange phrases or characteristic errors that used to make them easier to recognize. Attackers are also creating dynamic phishing pages, such sites can automatically impersonate different brands depending on who visits them, which increases the chances of effective fraud.
Geo-targeting is also becoming increasingly popular, campaigns adjust the language of the message, the name of the institution or the specifics of the region to make them look as credible as possible to the victim. In practice, this means that each of us can receive an email that looks perfect, it contains a first name, last name and real context, which effectively lowers vigilance.
How to defend yourself?
Phishing cannot be 100% eliminated, but its effectiveness can be drastically reduced.
What can regular users do?
What can companies do?
- Double check the sender and URL.
- Don’t click on links from SMS and instant messaging without verification.
- Use multi-factor authentication (MFA) wherever possible.
- Regularly update systems and applications.
- Use anti-phishing filters in browsers and email.
- Report suspicious messages.
- Train employees to recognize phishing (awareness courses).
- Use advanced email filters (attachment sandboxing, link reputation).
- Implement privilege restriction policies (principle of least privilege).
- Configure DMARC, DKIM, and SPF on company domains.
- Monitor and respond to incidents in real time.
- Regularly test resilience (phishing simulations).
Phishing is a bit like that old friend that always comes back – regardless of whether Akira ransomware is rife in the network or a new zero-day has been discovered in Ivanti. Why? Because people are and will be the weakest link.
That’s why you shouldn’t underestimate this topic – knowledge, healthy skepticism and good procedures can save data, reputation and the company’s budget.
If you want to better prepare your company for the growing threat of phishing, it pays to act early. Our team can help with security audits, employee training, and implementing effective protection mechanisms against attacks.
Contact us – together we will increase the security of your organization and reduce the risk of costly incidents.
