Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

INKY has published its annual report on email security, finding that phishing accounted for 30% of all reported cybercrimes last year. “Phishing threats grew in both volume and sophistication, introducing new attack vectors like QR codes, cross-site scripting, and weaponized file types (e.g., RTF and DOT),” the report says. “Cybercriminals also increasingly exploited trusted services such as DocuSign and PayPal, underscoring the urgent need for adaptive, robust security solutions.”

The average amount of money requested in business email compromise (BEC) attacks spiked to $128,980 in the fourth quarter of 2024, according to the Anti-Phishing Working Group’s (APWG’s) latest report. This is nearly double the amount requested during Q3 2024. The researchers found that Gmail accounts were used to launch 81 percent of BEC scams last quarter. The report also warns of a surge in SMS phishing scams impersonating toll operators in the US, driven by a popular Chinese phishing kit.

In March 2025, several US federal agencies issued a joint warning on the phishing-based, ransomware-as-a-service (RaaS) threat group Medusa and are encouraging organizations to implement mitigations to reduce the likelihood of being impacted by an attack.

Phishing-as-a-service (PhaaS) platforms drove a surge in phishing attacks in the first two months of 2025, according to researchers at Barracuda. PhaaS platforms, which provide criminals with a ready-made kit for launching advanced phishing attacks, were responsible for more than a million attacks in January and February. Three PhaaS platforms accounted for nearly all of these attacks, with the Tycoon 2FA kit dominating the market.

Threat actors are abusing Microsoft’s infrastructure to launch phishing attacks that can bypass security measures, according to researchers at Guardz. The attackers compromise multiple Microsoft 365 tenants in order to generate legitimate transaction notifications that contain phishing messages.

Our latest Phishing Threat Trends Report explores the evolving phishing landscape in 2025, from renewed tactics to emerging attack techniques. Ransomware may be an “old” threat, but new tactics are making people more susceptible than ever. In this edition, we break down a highly advanced attack detected by KnowBe4 Defend that bypassed native security and a secure email gateway (SEG)—and would have been nearly impossible to stop if launched.

Business email compromise (BEC) attacks rose 13% last month, with the average requested wire transfer increasing to $39,315, according to a new report from Fortra. “The average amount requested from BEC wire transfer attackers was $39,315 in February compared to $24,586 in January 2025, an increase of 60%,” the report says.

A phishing campaign is impersonating travel agency Booking.com to target employees in the hospitality industry, according to researchers at Microsoft. The attacks use a social engineering technique called “ClickFix” to trick victims into downloading malware.

A KnowBe4 Threat Lab publication Authors: Martin Kraemer, Jeewan Singh Jalal, Anand Bodke, and James Dyer EXECUTIVE SUMMARY: We observed a 98% rise in phishing campaigns hosted on Russian (.ru) top-level domains (TLDs) from December 2024 to January 2025, primarily used for credential harvesting. These Russian.ru domains are run by so-called “bullet-proof” hosting providers, that are known to keep malicious domains running and ignore abuse reports which is ideal for cybercriminals.