Email Threat Trends Report: Q2 2025

Compromised websites are the second most prevalent link delivery method, at 30%.

Swedish and Norwegian targets comprise a combined 19% of BEC targets.

Among the unidentifiable phishing kits used by phishing sites, Tycoon 2FA accounts for 10%.

After CEOs and executives, the remaining BEC impersonation efforts are aimed at directors and managers (9%), HR personnel (4%), IT staff (3%), and school heads (2%).

Among the unidentifiable phishing kits used by phishing sites, Evilginx accounts for 20%.

The use of URL shorteners accounts for 7% of phishing delivery.

The strategic use of Danish language in BEC scams is 11.9%.

Among the unidentifiable phishing kits used by phishing sites, 16shop accounts for 7%.

The most observed phishing exploitation mechanisms are HTTP POST to remote server accounting (52%) and email exfiltration (30%).

58% of phishing sites now use unidentifiable phishing kits.

PDFs remain the preferred vehicle for delivering malicious attachments in phishing, at 64%.

A significant portion of BEC targets are Danish, at 38%.

Financial lures are the number one ploy in phishing emails, representing 35% of samples.

Swedish language use in BEC scams is 3.8%.

Account verification and updates account for 20% of approaches in phishing emails.

Among the unidentifiable phishing kits used by phishing sites, other generic kits account for 5%.

For Business Email Compromise (BEC) attacks, English-speaking executives remain the most targeted at 42%.

Norwegian language use in BEC scams is 1.5%.

Package delivery messages account for 5% in phishing emails.

Lumma Stealer is the most encountered malware family found in the wild during Q2 and is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive.

Healthcare was the third most targeted sector for email-based attacks in Q2 2025, accounting for 19% of attacks.

Retail was the second most targeted sector for email-based attacks in Q2 2025, accounting for 20% of attacks.

Legal or HR notices account for 5% in phishing emails.

Urgency-based messaging is the second most tried approach in phishing emails, at 25%.

Impersonation is the most common technique in BEC scams, with 82% of attempts targeting CEOs and executives.

Travel-themed messages account for 10% in phishing emails.

For phishing delivery, the majority (54%) of cybercriminals leveraged open redirect mechanisms.

The Manufacturing sector was the prime target for email-based attacks in Q2 2025, accounting for 26% of all incidents.

Travel-themed messages account for 10% in phishing emails.

Legal or HR notices account for 5% in phishing emails.