Phishing in 2025: Are your clients’ defenses ready for the next wave?

Phishing attacks remain one of the most pervasive and damaging cybersecurity threats. By tricking individuals into revealing sensitive information, such as email credentials, these attacks not only result in direct financial loss but also pave the way for more sophisticated cybercrimes.

In 2023 alone, the U.S. Internet Crime Complaint Center (IC3) received 880,418 complaints from the American public, with potential losses exceeding $12.5 billion. Meanwhile, global cybersecurity leaders like Barracuda have observed a troubling rise in phishing activity, with increasingly advanced tactics making these attacks harder to detect and more devastating to victims.

For example, earlier this year, Barracuda noted the evolution of Tycoon 2FA, a phishing-as-a-service (PhaaS) toolkit used to create highly effective attacks. Tycoon 2FA not only can thwart multifactor authentication (MFA) but also leverages legitimate email accounts, obstructive source code, and the ability to detect and block automated security scripts.

Phishing trends you need to know about

In 2025, there are five primary phishing trends that MSPs need to be aware of and prepare for.

Phishing-as-a-service (PhaaS) kits will become more common, like the one described above. According to Barracuda’s data, 30% of credential attacks in 2024 used PhaaS, which could climb to 50% in 2025. In addition, these tools are evolving to steal MFA codes.

Targeted extortion attacks will increase. These targeted attacks will feature more personalized emotional appeals based on an analysis of the recipient’s social media and communication history, with a rise in extortion/sextortion attacks and demand for payments with greater monetary value. These attacks will also increasingly utilize public social media information, including Google Street View and personal photos shared on various vulnerable platforms. This makes them easier to scale and personalize with the assistance of generative AI.

Attacks will be harder to detect and stop. MSPs can expect to see a wider implementation of evasive techniques such as ASCII-based QR codes, Blob URIs, and shifting the phishing content from the body of the email to an attachment. QR codes and voicemail phishing already account for 20% of phishing detections, and these tactics will increase as criminals find success with them. In addition, attackers embed phishing content in HTML or PDF attachments, which leaves the email body blank or at least contains very little text that would trigger a security alert via machine learning analysis.

Attackers will leverage content creation and digital publishing platforms. According to Barracuda, approximately 10% of the phishing attacks detected in 2024 were hosted in CCP (content creation platform) or DDP (digital document publishing) sites. Attackers also used these platforms to create legitimately looking spoofs of file-sharing platforms. This will continue into 2025 as attackers use these tools to reduce the cost and complexity of creating phishing pages.

AI will be used to improve the success of phishing attacks. Research from the Harvard Business Review in 2024 found that 60% of participants had fallen victim to AI-automated phishing attacks. AI can make these attacks much more difficult to detect by improving the quality of the text in the malicious message. With AI, attackers can create messages with personalized content, precise grammar, and human-like emotional appeals based on an analysis of the recipient’s social media and communication history. AI can also generate deepfake images, voicemails and messages to fool victims. The FBI issued a warning about AI-based attacks last year, and the Harvard Business Review reported that AI-based phishing was 60% effective in fooling victims while reducing the cost of attacks by 95%.

Phishing protection must evolve

Because phishing remains a relatively low-cost, low-skill, quick and easy way to compromise users and networks with a high degree of success, MSPs and their customers must be prepared to address these emerging trends.

Phishing attacks are becoming more varied, opportunistic, and sophisticated. It is essential to have agile, innovative, multilayered defense strategies and foster a strong security culture to stay ahead of this ever-evolving threat.

Those solutions should include MFA, advanced email authentication protocols like DMARC, and advanced AI-based analysis tools that can “learn” the tactics used by attackers and improve their ability to identify malicious emails. Organizations must also conduct regular security awareness training sessions with updated content to educate employees on the latest threats and provide a clear reporting process when they spot a suspicious email.