VIPRE

Compromised websites are the second most prevalent link delivery method, at 30%.

Swedish and Norwegian targets comprise a combined 19% of BEC targets.

Among the unidentifiable phishing kits used by phishing sites, Tycoon 2FA accounts for 10%.

After CEOs and executives, the remaining BEC impersonation efforts are aimed at directors and managers (9%), HR personnel (4%), IT staff (3%), and school heads (2%).

Among the unidentifiable phishing kits used by phishing sites, Evilginx accounts for 20%.

The use of URL shorteners accounts for 7% of phishing delivery.

The strategic use of Danish language in BEC scams is 11.9%.

Among the unidentifiable phishing kits used by phishing sites, 16shop accounts for 7%.

The most observed phishing exploitation mechanisms are HTTP POST to remote server accounting (52%) and email exfiltration (30%).

58% of phishing sites now use unidentifiable phishing kits.

PDFs remain the preferred vehicle for delivering malicious attachments in phishing, at 64%.

A significant portion of BEC targets are Danish, at 38%.

Financial lures are the number one ploy in phishing emails, representing 35% of samples.

Swedish language use in BEC scams is 3.8%.

Account verification and updates account for 20% of approaches in phishing emails.

Among the unidentifiable phishing kits used by phishing sites, other generic kits account for 5%.

For Business Email Compromise (BEC) attacks, English-speaking executives remain the most targeted at 42%.

Norwegian language use in BEC scams is 1.5%.

Package delivery messages account for 5% in phishing emails.

Lumma Stealer is the most encountered malware family found in the wild during Q2 and is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive.

Healthcare was the third most targeted sector for email-based attacks in Q2 2025, accounting for 19% of attacks.

Retail was the second most targeted sector for email-based attacks in Q2 2025, accounting for 20% of attacks.

Legal or HR notices account for 5% in phishing emails.

Urgency-based messaging is the second most tried approach in phishing emails, at 25%.

Impersonation is the most common technique in BEC scams, with 82% of attempts targeting CEOs and executives.

Travel-themed messages account for 10% in phishing emails.

For phishing delivery, the majority (54%) of cybercriminals leveraged open redirect mechanisms.

The Manufacturing sector was the prime target for email-based attacks in Q2 2025, accounting for 26% of all incidents.

Travel-themed messages account for 10% in phishing emails.

Legal or HR notices account for 5% in phishing emails.

74% of the time, CEOs and executives were the roles that were compromised.

Regarding phishing links, URL redirection was the most employed tactic (51%), followed by compromised websites (19%) and newly created domains (7%).

The manufacturing sector (32%) was the most targeted industry sector for email-based attacks.

Over nine out of 10 emails were categorised as spam by VIPRE.

The use of QR codes for phishing peaked at 12% in Q4 of 2024.

VIPRE processed 7.2 billion emails globally, of which 858 million were spam.

Threat actors leveraged 'impersonation' as a tactic in an average of 88% of all BEC cases.

Phishing tactics with links were most popular (70%), followed by attachments (25%) and QR codes (5%).

Of the never-seen-before spam emails, 37% fell into the commercial, 32% into the scam, and 21% into the phishing categories of spam.