Callback phishing surges as BEC email fraud dominates

VIPRE has reported a sharp rise in callback phishing and continued growth in business email compromise (BEC) attacks. Cybercriminals are increasingly using familiar brands and security checks to make malicious messages appear legitimate.

Its Q4 2025 Email Threat Trends report analysed 1.5 billion emails and about half a million spam messages. The findings suggest a shift in how attackers run campaigns, with more emphasis on direct interaction and impersonation rather than purely automated approaches.

Callback resurgence

Callback phishing rose from 3% to 18% of all phishing incidents during the quarter, a 500% increase, according to VIPRE. These messages typically prompt recipients to call a phone number included in the email. Attackers then use the call to steal credentials, persuade targets to install remote access software, or convince them to approve payments.

The rise suggests criminals are leaning more heavily on human-to-human manipulation. That approach can bypass automated detection that targets suspicious links, attachments, or known malicious infrastructure.

BEC remains dominant

BEC accounted for 51% of email fraud cases in VIPRE's data. These attacks typically rely on impersonation and payment redirection rather than malware delivery, including requests for wire transfers, changes to bank details, payroll diversion, or fraudulent invoices.

Impersonation accounted for 82% of BEC incidents in the quarter, with the remaining 18% attributed to diversion tactics, such as fake invoicing or payroll requests. CEOs and senior executives were the most common targets of impersonation, accounting for 50% of impersonation-based BEC emails and 41% of total BEC incidents.

VIPRE also highlighted how attackers craft messages. It found file names designed to resemble everyday business documents, including payroll files, invoices, appraisals, and bonus documents. Subject lines were often written to create urgency and prompt quick replies, with examples such as "make this a priority", "paycheck updated", and "account information change required".

Security checks misused

VIPRE observed increased use of CAPTCHAs and "I am not a robot" checks in malicious flows. These checks can block automated scanners and slow down security tool analysis, and are often paired with fake login screens designed to capture credentials.

These prompts mimic cues users associate with legitimate services. A CAPTCHA can make a site feel more trustworthy, even when it sits in front of a fraudulent login page.

Trusted platforms in the chain

Compromised accounts were the leading source of spam emails in VIPRE's Q4 2025 data. Attackers are hijacking legitimate sites and services and then distributing malicious emails that appear to come from trusted domains.

The report also noted the use of mainstream cloud and developer platforms to host and deliver malicious files, citing Dropbox, Amazon Web Services, and Bitbucket. Because these services blend into normal corporate traffic, they can complicate filtering and incident response.

Outlook for 2026

VIPRE expects more personalised, AI-driven BEC attacks, with finance and HR as primary targets. Attackers are likely to use social engineering cues tied to transactions, HR communications, and payroll updates.

Financial officers and staff with direct access to C-level executives may face heightened risk due to their roles in approval processes and proximity to senior decision-makers.

The report anticipates that PDF and Office files will continue to dominate attachment-based phishing, with tactics evolving to cloud- and hybrid-based delivery. It also predicts an increase in hybrid attacks that combine images and scripts to evade certain sandbox-based detection.

For link-based phishing, VIPRE forecasts greater use of short-lived or AI-generated landing pages, along with more multi-step campaigns in which an initial message gathers information before a later, higher-value attempt. Trusted domains are expected to remain a common part of these workflows.

VIPRE also flagged deepfake technology and other AI-assisted techniques as factors that can increase the realism of phishing campaigns. It expects to see more supply chain exploitation through fraudulent invoices and payment notifications originating from compromised vendor accounts.

Attackers will also increasingly manipulate or obscure email metadata, including spoofed sender identities and changes to envelope sender information and routing headers.

Usman Choudhary, General Manager, VIPRE Security Group, said the quarter's findings reflect a broader shift in attacker strategy.

"The Q4 2025 data reveals a troubling evolution in the strategy being adopted by cybercriminals - the systematic weaponisation of trust," Choudhary said. "Criminals are undoubtedly exploiting technical vulnerabilities, but they are also exploiting human confidence in the familiar - be that impersonating a trusted supervisor or executive, mimicking reputable companies and household brands, or hiding behind enterprise security protocols. They are targeting 'trust'. Their approach demands that we rethink how we identify and authenticate interactions and security strategies across every communication and business channel."

VIPRE, part of Ziff Davis, sells email security, endpoint security, and security awareness training products. It expects visual deception tactics, including fake login windows and CAPTCHA-based verification steps, to feature more often in phishing campaigns over the coming year.