Report by VIPRE

Email Threat Trends Report: Q2 2025

30 FINDINGSPublished Aug 4, 2025
View Original Report →

Key Findings

Compromised websites are the second most prevalent link delivery method, at 30%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing delivery

Swedish and Norwegian targets comprise a combined 19% of BEC targets.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingBECSwedenNorway

Among the unidentifiable phishing kits used by phishing sites, Tycoon 2FA accounts for 10%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing kit

After CEOs and executives, the remaining BEC impersonation efforts are aimed at directors and managers (9%), HR personnel (4%), IT staff (3%), and school heads (2%).

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingBECImpersonationHR

Among the unidentifiable phishing kits used by phishing sites, Evilginx accounts for 20%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing kit

The use of URL shorteners accounts for 7% of phishing delivery.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing delivery

The strategic use of Danish language in BEC scams is 11.9%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingBECDenmark

Among the unidentifiable phishing kits used by phishing sites, 16shop accounts for 7%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing kit

The most observed phishing exploitation mechanisms are HTTP POST to remote server accounting (52%) and email exfiltration (30%).

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishing

58% of phishing sites now use unidentifiable phishing kits.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing kit

PDFs remain the preferred vehicle for delivering malicious attachments in phishing, at 64%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing deliveryPDF

A significant portion of BEC targets are Danish, at 38%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingBECDenmark

Financial lures are the number one ploy in phishing emails, representing 35% of samples.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing lure

Swedish language use in BEC scams is 3.8%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingBECSweden

Account verification and updates account for 20% of approaches in phishing emails.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing lure

Among the unidentifiable phishing kits used by phishing sites, other generic kits account for 5%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing kit

For Business Email Compromise (BEC) attacks, English-speaking executives remain the most targeted at 42%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingBECExecutives

Norwegian language use in BEC scams is 1.5%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingBECNorway

Package delivery messages account for 5% in phishing emails.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing lure

Lumma Stealer is the most encountered malware family found in the wild during Q2 and is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingLumma Stealer

Healthcare was the third most targeted sector for email-based attacks in Q2 2025, accounting for 19% of attacks.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingHealthcare

Retail was the second most targeted sector for email-based attacks in Q2 2025, accounting for 20% of attacks.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingRetail

Legal or HR notices account for 5% in phishing emails.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing lure

Urgency-based messaging is the second most tried approach in phishing emails, at 25%.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing lure

Impersonation is the most common technique in BEC scams, with 82% of attempts targeting CEOs and executives.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingBECImpersonationCEO

Travel-themed messages account for 10% in phishing emails.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing lure

For phishing delivery, the majority (54%) of cybercriminals leveraged open redirect mechanisms.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing delivery

The Manufacturing sector was the prime target for email-based attacks in Q2 2025, accounting for 26% of all incidents.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingManufacturing

Travel-themed messages account for 10% in phishing emails.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing lure

Legal or HR notices account for 5% in phishing emails.

VipreEmail Threat Trends Report: Q2 2025·9mo ago
EmailPhishingPhishing lure