2025 Phishing Trends So Far: What’s New and What Still Works

Phishing remains the entry point for many data breaches and ransomware incidents. Human error, time pressure and clever social engineering continue to give attackers leverage, even as organisations invest in advanced email security.

In 2024, Proofpoint’s State of the Phish report found that more than two-thirds of surveyed employees took risky actions such as clicking malicious links or opening unknown attachments, contributing to a sharp rise in direct financial penalties and reputational damage from phishing incidents.

As of early 2025, several trends are reshaping how phishing campaigns are executed and where defenders should focus. This article looks at what is new, what still works for attackers and how to adapt your phishing defence strategy accordingly.

Trend 1 – AI-generated spear phishing becomes the default

Generative AI has moved from proof of concept to everyday tool in phishing campaigns. Recent analyses of phishing seasons in 2025 highlight that attackers are increasingly using AI to craft highly personalised emails that mimic internal communication styles, respond to previous email chains and even adjust language to local norms.

Key characteristics include:

• Fluent, low-error language. Many phishing emails no longer contain obvious spelling or grammar red flags.
• Contextual details. Messages reference real projects, internal tools or colleagues scraped from collaboration platforms and social media.
• Dynamic variants. Attackers can generate multiple slightly different versions of the same lure, making it harder for static filters to catch them all.

For defenders, this reinforces the importance of layered controls: email security that uses behavioural and machine-learning-based analysis, phishing-resistant MFA to protect accounts even when credentials are compromised, and targeted awareness that teaches employees to look beyond superficial language quality.

DACTA’s piece The Dark Side of AI: How Are Cybercriminals Exploiting Machine Learning discusses broader AI-driven threats and how to embed AI risk into your security strategy.

Trend 2 – QR code phishing (“quishing”) targets executives and on-the-go users

QR code phishing, often called “quishing”, has accelerated sharply as organisations embrace QR codes for payments, check-ins and authentication. Research in early 2024 indicated that around 12 percent of phishing emails already contained QR codes.  Abnormal Security found that executives received more than forty times more QR code attacks than the average employee, reflecting their attractive risk profile.

By 2025, national fraud agencies in multiple countries have reported growing financial losses linked to QR scams, including cases where fake QR codes on parking machines and public signage drove victims to spoofed payment sites. Unit 42 researchers have also observed new techniques such as using legitimate websites’ redirect mechanisms and cloud-based verification tools to hide the final phishing destination.

Defenders should:

• Include QR-based scenarios in phishing simulations and awareness campaigns
• Ensure that secure mobile browsers and endpoint controls inspect URLs opened via QR codes where possible
• Encourage users to favour official apps and manually typed URLs over scanning random codes

Trend 3 – Deepfake vishing and hybrid voice scams

Voice phishing (vishing) has been around for years, but deepfake voice technology has changed the stakes. Recent threat intelligence reports show deepfake-enabled vishing increasing by more than a thousand percent between late 2024 and early 2025, with projected global fraud losses in the tens of billions.

Recent cases highlight:

• Executive impersonation calls. Attackers use cloned audio to impersonate CEOs or finance leaders, instructing staff to urgently transfer funds. Kymatio+1
• Virtual kidnapping scams. Deepfake voice and video are used as “proof of life” in extortion attempts, prompting rushed payments before victims can verify the situation. Axios+1
• Multi-channel hybrids. Attackers combine phishing emails, SMS messages and phone calls to build credibility and pressure targets.

To mitigate this, organisations should:

• Establish out-of-band verification processes for high-risk actions such as payments or data access
• Introduce “safe word” or code-phrase protocols for sensitive instructions
• Educate staff about deepfake possibilities and encourage calm verification rather than immediate action under pressure

Trend 4 – Phishing goes truly multi-channel

Email remains the primary delivery vector for phishing, but data from simulated and real attacks in 2025 shows a growing share of attacks delivered through SMS, messaging apps, collaboration tools and social media.

Common patterns:

• Fake MFA prompts or password reset messages sent via SMS
• Social media direct messages from compromised accounts pointing to malicious links
• Phishing links shared inside collaboration platforms that bypass traditional email gateways

This multi-channel reality means “email security” alone is not enough. Security teams must:

• Extend monitoring and policy controls to collaboration and messaging platforms
• Reinforce core verification habits that apply regardless of channel
• Include non-email scenarios in awareness training, especially for senior leaders and frontline staff

What still works for attackers – Old tactics, new wrapping

Despite the new techniques, many successful attacks still rely on familiar tactics:

• Fake invoices and payment redirections
• Credential harvesting for widely used SaaS platforms
• Malware-laden attachments disguised as business documents

Proofpoint and other threat intelligence providers consistently observe that basic credential theft and BEC remain prevalent, even as attackers adopt AI and QR codes. The difference is that these lures are now better written, more targeted and more seamlessly integrated into normal communication flows.

This underscores the value of robust fundamentals: email authentication (SPF, DKIM, DMARC), attachment sandboxing, URL rewriting and phishing-resistant MFA.

Strengthening your phishing defence strategy in 2025

A modern phishing defence strategy should balance technology, process and people.

Consider prioritising:

• Advanced email and messaging security. Solutions capable of anomaly detection, behavioural analysis and QR-aware inspection rather than relying solely on signature-based filtering.
• Phishing-resistant authentication. FIDO2 security keys or platform authenticators significantly reduce the impact of credential theft.
• Continuous awareness and simulation. Programmes that evolve with new threat patterns, including QR quishing and deepfake vishing scenarios.
• Incident response readiness. Clear playbooks for investigating suspected phishing incidents, resetting credentials and containing potential ransomware activity.

For more guidance on technical controls and tooling, see DACTA’s The Ultimate Cybersecurity Toolkit for 2025, which covers endpoint, network and advanced threat detection measures, including MDR and AI-powered analytics.

Mobile-focused protections discussed in CSA’s Recommended Security Apps to Protect Your Mobile Device in Singapore & Beyond can also help mitigate phishing on phones and tablets.

Conclusion – Treat phishing as a dynamic, human-centric risk

Phishing in 2025 is no longer about spotting spelling mistakes. It is a dynamic blend of AI-generated content, QR codes, deepfake audio and multi-channel delivery, all aimed at exploiting human trust and urgency.

Organisations that succeed will be those that:

• Keep their phishing threat model current
• Invest in layered technical controls and phishing-resistant authentication
• Treat employees as part of the detection surface rather than just potential victims

DACTA Global supports this shift through advisory services, detection engineering and managed security offerings that closely integrate with your awareness and training efforts. If your phishing defences still look like they did in 2020, now is the time to update them for the AI-driven, multi-channel threats of 2025.

‍