Phishing attacks surge as criminals exploit trusted platforms in 2025
KnowBe4 has released its 2025 Phishing Threat Trends Report, highlighting significant changes in cybercriminal strategies and a marked increase in phishing incidents targeting businesses worldwide.
Platform exploitation
The report details a 67% rise in the abuse of established business platforms such as QuickBooks, Zoom, SharePoint, and PayPal. Attackers are using these legitimate services as entry points, enabling phishing emails to evade conventional security mechanisms. These assaults routinely pass authentication protocols, as they are sent from trusted domains, making detection and prevention considerably more difficult for organisations.
Seasonal targeting
Researchers noted clear patterns in phishing themes aligned to the calendar year. January saw spikes in attacks exploiting HR-related topics, accounting for 33% of phishing lures. February brought another increase, with 35% of campaigns capitalising on Valentine's Day promotions. Criminals also tailored their tactics for other annual events, such as tax deadlines in April and notable sports events.
"As cybercriminals bypass technical defenses using techniques such as hijacking legitimate platforms and manipulate victims through a variety of sophisticated social engineering methods, organisations need to prioritise workforce trust management," said Jack Chapman, SVP Threat Intelligence, KnowBe4.
Major retailer breaches
The report provides analysis of the recent Scattered Spider operation, which targeted several prominent retailers including M&S, Co-Op and Harrods. These orchestrated intrusions led to significant losses, reaching hundreds of millions in damages. In the aftermath, attackers rolled out tailored secondary phishing campaigns, impersonating compromised brands to harvest customer credentials. The Scattered Spider group employed a mix of social engineering, voice phishing (vishing), multifactor authentication (MFA) fatigue techniques, and sophisticated credential harvesting to target both organisational security systems and employees directly.
Vishing escalation
A steep rise in phone-based vishing was reported, with incidents increasing 449% compared to last year. Within the sample, phone numbers appeared as the sole payload in 5.5% of phishing messages. Artificial intelligence played a major role, with 77% of fraudulent callback numbers deploying AI-generated voices and 69% of attacks centred on financial deception such as altering bank details or issuing false refunds and transfers.
Defence challenges
The integration of trusted platforms within workplace operations has made it increasingly easy for malicious actors to evade perimeter security checks. Traditional email filters and authentication systems are now being side-stepped, highlighting the need for businesses to revisit their surveillance and response measures.
Chapman said, "The findings from this report revealed that attackers demonstrated clear seasonal targeting throughout 2025, exploiting HR topics in January, Valentine's promotions in February, tax deadlines in April, and major events like the U.S. Open. As more attacks find their way through traditional email security defenses, it is critical that organisations evolve their tech stack to implement AI-driven detection that works within a holistic human risk management (HRM) ecosystem."
According to the report, a growing number of attacks seamlessly combine social engineering and technical exploits, demanding a coordinated approach that addresses both system-level vulnerabilities and user awareness.
"Scattered Spider's signature tactics (including combining sophisticated social engineering, vishing, MFA bombing and credential harvesting) combine techniques that target both the technical and human layers as part of their attack methodology," said Chapman.
