More Sophisticated Phishing Tactics Are Increasing Cyber Risks

July 10, 2025

There is an alarming trend in cybersecurity in which more than 90 percent of phishing campaigns result in victims' devices being infected with malware.

Phishing is a type of cyber-attack where attackers disguise themselves as trustworthy entities to trick individuals into revealing sensitive information, such as passwords, credit card numbers, or other personal data. This is typically done through deceptive emails, websites, or text messages that appear legitimate.

The 90 percent figure is based on data collected from various cybersecurity studies and reports. These studies analyze the outcomes of phishing attacks and the types of malware delivered through these campaigns.

Phishing has become one of the most prevalent forms of cyber-attacks, with attackers constantly evolving their methods to bypass security measures.

Many individuals and organizations do not have adequate security measures in place to detect and prevent phishing attacks. This includes lack of employee training, outdated security software, and insufficient monitoring of suspicious activities.

The malware delivered through phishing campaigns can vary, including ransomware, spyware, and trojans, all of which can have devastating effects on the victim's data and systems.

Commentary

According to the FBI's Internet Crime Complaint Center (IC3), phishing (including email and social media scams) is the most reported cybercrime category.

In 2022, the IC3 received over 300,000 phishing complaints, leading to significant financial losses. The Anti-Phishing Working Group (APWG) observed nearly five million phishing attacks in 2023, marking the worst year on record.

Additionally, Kaspersky's anti-phishing systems blocked over 700 million phishing attempts in 2023, a 40 percent increase from the previous year.

Phishing trends indicate a continuous rise in attack volumes, with attackers employing more sophisticated tactics such as multi-factor authentication (MFA) bypass and QR-code phishing.

Organizations are frequently targeted, with 94 percent of them experiencing phishing attacks in 2023.

The final takeaway is that the prevalence of phishing underscores the need for robust security measures, ongoing knowledge of types of scams, and vigilance to protect against these threats.

Sources: https://www.securitymagazine.com/articles/101115-over-90-of-phishing-campaigns-lead-victims-to-malware and https://controld.com/blog/phishing-statistics-industry-trends/  

Here is a checklist on common phishing scams: [rt]

  • Unsolicited emails (a/k/a phishing), texts (a/k/a smishing), or messages that appear to be from a legitimate source that contain:
    • Demands for private information/credentials/personal identifiers
    • Offers of money or valuables in exchange for private information/credentials/personal identifiers
    • Demands to perform an action and/or select a link/attachment
    • Threats made unless an action is taken and/or a link/attachment is selected
  • Unsolicited emails, texts, or messages offering deals/goods/money
  • Emails requesting consideration for employment
  • Unsolicited responses to offers of employment with attachments/links
  • Online messages purporting to be from employees/contractors/ agents/vendors requesting changes to direct deposit/transfer/wire instructions
  • Online messages from public entities/law enforcement threatening fines/penalties/incarceration
  • Targeted online messages to a person/organization using familiar information/tone/language demanding unsolicited/unusual action or altering previously agreed instructions (a/k/a spear phishing or whale phishing)
  • Routine online messages that have added links or attachments or have replaced/altered the routine links/attachments (a/k/a clone phishing)
  • Links to imitation websites that request/demand private information/credentials/personal identifiers
  • Imitation/fraudulent notifications/ads on legitimate websites/browsers (a/k/a pop-up phishing)
  • Imitation/fraudulent social media notices or posts that request/demand private information/credentials/personal identifiers (a/k/a angler phishing)
  • Voice calls imitating legitimate persons/organizations/agencies requesting/demanding private information/credentials/personal identifiers (a/k/a vishing)
Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Medical ID Theft Continues To Plague Healthcare Employers: Are There Solutions?

A California hospital suffers a data breach, including possible loss of treatment records. What does the acquisition of treatment records mean to a cybercriminal? We examine.

Criminal Exposure For Failing To Timely Report Data Breaches

A Court of Appeals affirms the conviction of a former Uber executive who failed to report a data breach. We look at the facts and the laws regarding reporting breaches.

Do Employees Throw Other Employees Under The Bus? You Make The Call

A survey shows 61 percent of the workers surveyed claim to have been thrown under the bus, but 73 percent deny throwing others under the bus. What do you think?

Malware Targeting Macs: The Prevention Steps Work For All Operating Systems

North Koreans are using a new malware strain to target Macs. We go into the details, but also provide steps for all operating systems.

FMLA, Adverse Employment Actions, And Retaliation

An employee sues his healthcare employer under the FMLA. We review the facts and provide some background on the FMLA, retaliation, and adverse employment actions.