Phishing Trends 2025: What’s Really Changing, What Still Works, and How to Measure Progress

Executive Summary: Defining the 2025 Phishing Trends

Phishing in 2025 isn’t a single tactic; it’s a portfolio of low-friction, high-yield techniques that adapt faster than most enterprise defenses. Understanding these current phishing trends is non-negotiable for effective cybersecurity. Three key shifts define the year:

(1) channel pivoting to QR codes, mobile, and out-of-band lures that sidestep secure email gateways,

(2) identity hijack techniques like adversary-in-the-middle (AiTM) and MFA fatigue that turn “MFA enabled” into “MFA bypassed,” and

(3) industrialized social engineering—hyper-targeted BEC and payroll/wire fraud backed by convincing pretexts and faster cash-out. Industry telemetry underscores the scale: global phishing volumes remained at or near record highs in 2025, with financial and payments sectors consistently among the most targeted; wire-transfer BEC rose sharply, and QR-code campaigns surged. (apwg.org)

This report distills what’s new, what works, and how security leaders can prove improvement—grounded in public research and Hunto AI’s field experience running continuous, role-aware phishing simulations and external threat reduction programs.

---

The landscape in numbers (and why they matter)

• Volume stays high; tactics rotate. The Anti-Phishing Working Group (APWG) observed 1,003,924 attacks in Q1 2025 and 1,130,393 in Q2—a 13% quarter-over-quarter increase—with financial services and SaaS/Webmail leading targeted sectors. Understanding these current phishing trends is critical. APWG also reported a 33% rise in wire-transfer BEC in Q1 and widespread use of QR-code lures to drive victims to mobile browsers, where inspection is weaker. (apwg.org)
• Human-centric crime tops complaint charts. The FBI’s 2024 Internet Crime report (published 2025) lists phishing/spoofing as the #1 crime by complaint volume for 2024—reinforcing that people, not endpoints, are the primary battleground. (Federal Bureau of Investigation)
• Payloads evolve. Independent trend analyses in early 2025 note double-digit growth in ransomware-linked phishing payloads and a steep uptick in HTML smuggling, a clear sign of evolving phishing trends, a favorite for slipping past content controls. (knowbe4.com)
• Social engineering remains a breach driver. Verizon’s 2024/2025 DBIR series continues to show social tactics (phishing, pretexting) as primary breach vectors, with credentials and personal data most frequently compromised. (Verizon)

Why this matters: Defenders can’t out-template attackers. The answer is continuous adaptation against these phishing trends: measurement, targeted coaching, channel coverage beyond email, and evidence-grade reporting that satisfies regulators, auditors, and insurers.

---

Five Phishing Trends Defining 2025

1) QR-code phishing (“quishing”) and mobile-first lures

Attackers embed QR images in emails, PDFs or posters to push victims to mobile browsers—bypassing desktop link inspection and some email gateways. APWG highlights criminals sending millions of QR-code emails daily; we see this resonate in programs where office staff and field teams are equally targeted. Practical defense means training people to treat QR like links and instrumenting mobile browsing where feasible.

2) AiTM and MFA-fatigue techniques normalize

Campaigns increasingly capture session tokens with adversary-in-the-middle pages or elicit repeated prompts to induce push fatigue. Higher-ed and payroll ecosystems are current targets, but the mechanics generalize to any SSO-first enterprise. The lesson: MFA ≠ invulnerable; prioritize phishing-resistant methods (FIDO2), conditional access, and vigilant revocation/rotation of tokens after suspected compromise.

3) Business Email Compromise pivots to payments ops

Wire-transfer BEC incidents rose ~33% in Q1 2025, per APWG. Attackers lean on invoice redirection, vendor profile changes and payroll reroutes (often via AiTM on HR platforms) with believable business context. Strong requester verification (“official channels”), finance playbooks, and role-specific simulations for AP/AR teams move the needle fastest.

4) HTML smuggling and living-off-the-page payloads

Security stacks that block obvious attachments still struggle with HTML smuggling—JavaScript-built blobs that reconstruct malware client-side—or auth phishing that never drops a file. Simulations must train users to spot behavioral tells (unexpected login, 2FA reset, unusual urgency) rather than file types alone.

5) Brand-impersonation infrastructure is faster and cheaper

Look-alike domains, burner hosting, social/app-store imposters, and malvertising spin up quickly. Media coverage shows how domains differing by a character or a different TLD routinely lure victims into payment and credential theft. This is the junction of human risk and external attack surface—detection plus rapid takedown against these phishing trends is now table-stakes.

Program design that actually reduces risk (not just sends tests)

Most organizations still run episodic, generic simulations. Attackers run continuous, context-aware campaigns that exploit the latest phishing trends. Here’s what closes that gap:

1. Weekly, role-aware simulations
   Small, steady waves beat big quarterly events. Sales, finance, support, and executives face different lures—so train them differently. Expect a human-risk baseline in 7 days when cadence begins.
2. Adaptive difficulty and retesting
   Don’t shame repeat clickers—coach and re-test them in tighter loops. Track improvement velocity, not just raw click rate.
3. Measure the right things
   Move beyond “% clicked.” Track report-rate, dwell time, data-entry rate, and a composite Human Risk Number (HRN) by team and role. Tie HRN to business KPIs (fraud loss, invoice error, IR workload).
4. Evidence-by-design
   Every campaign should produce time-stamped artifacts (template, delivery, user actions, re-test results) that map to frameworks and audits. When the board or regulator asks “prove it,” exports beat anecdotes.
5. Close external loops
   Coordinate brand monitoring + takedowns (fake domains, social profiles, app listings, malvertising) so users see fewer traps in the wild. Fast removal improves both security and training effectiveness.

Benchmarks you can steal (and defend)

Use these as starting targets; tune to size and sector.

• Human Risk Number established in 7 days; publish by department.
• Click-through reduction 40–60% in 90 days for targeted cohorts with micro-training and retests.
• Report-rate 2–3x uplift in quarter one.
• Time-to-takedown: median < 24h for domains/hosts; < 12h for social/app stores/ads, with acceptance rates ~75–82% on first notices.
• DMARC+ path to enforcement: ≥90% sender alignment within 30–45 days; staged to p=reject with rollback.

These align with broader industry patterns (phishing dominant in complaints; social engineering a breach driver) while giving teams concrete, time-bounded goals.

---

Compliance and audit reality (plain English)

Regulators and customers are asking for regular phishing simulations, awareness evidence, and time-to-evidence after incidents. Your program must prove its effectiveness against the defining phishing trends of the year. Translate your program outputs into: (1) a quarterly audit pack (campaign configs, cohort lists, outcomes, retest deltas), (2) a risk narrative tied to business processes (payments, HR, customer support), and (3) control maps for email authentication (SPF/DKIM/DMARC) and brand protection (domain takedown receipts, platform case IDs). Doing this well reduces audit time and increases insurer and customer confidence.

---

Where Hunto AI fits (one section, outcome-first)

Hunto HumanRisk (AI Phishing Simulation).
An autonomous agent that runs continuous, role-aware simulations, delivers just-in-time micro-training, and retests to confirm behavior change. Outputs a board-ready Human Risk Number in 7 days and audit-ready evidence for each campaign.

Agentic Brand Monitoring + Takedown.
Detects look-alike domains, social/app imposters, and malvertising; executes platform-native takedowns and verifies with receipts. Targets < 24h domain/host TTD and < 12h social/store TTD.

Agentic DMARC+.
Inventories all senders, fixes SPF/DKIM alignment, and stages enforcement to p=reject safely—reducing spoofing that fuels credential phish and BEC.

Together, these agents reduce exposure and prove it, so CISOs can show measurable progress against the very trends dominating 2025.

---

30-60-90 day plan to get ahead of 2025 phishing

Days 0–30

• Launch weekly, role-aware simulations to two high-risk cohorts (Finance/AP & Customer Support).
• Publish an Official Channels page for vendor/customer comms to blunt support-call scams.
• Start sender discovery for DMARC+.
• Begin brand monitoring watchlist (top look-alike patterns; priority TLDs).

Days 31–60

• Expand simulations to sales and exec assistants; add AiTM-style tests.
• Enforce MFA hardening for payroll/HR/finance platforms; purge long-lived tokens.
• File first takedowns and measure acceptance rate and TTD.

Days 61–90

• Export a quarterly evidence pack with HRN trends and re-test deltas.
• Stage DMARC to quarantine; plan p=reject with rollback.
• Tune finance/AP verification rituals (dual control, call-back via official directory) based on BEC pretexts seen.

Key takeaways for leadership

• Expect phishing to remain the top complaint and a leading breach cause; the phishing trendline is stable even as techniques rotate. (Federal Bureau of Investigation)
• Train continuously, not ceremonially. Weekly micro-assessments and retests beat annual events.
• Prove improvement. HRN, report-rate, and TTD/acceptance rates are board-safe metrics.
• Collapse the loop. Pair human-layer improvement with external infrastructure removal and email authentication—or you’ll train users while leaving the trap in place.

Together, these agents reduce exposure and prove it, so CISOs can show measurable progress against the very phishing trends dominating 2025.

Want the numbers for your environment?

We can run a 14-day Human Risk pilot and a 48-hour external exposure sweep and deliver: an HRN baseline, top risky themes by role, first takedowns with receipts, and a DMARC+ plan to enforcement—so you start 2025’s program with outcomes you can measure and defend.