Cybercriminals are increasingly favoring low-tech, human-centric attacks to bypass email scanning technologies, according to VIPRE Security.
The report is based on an analysis of global real-world data and highlights the most significant email security trends from the first quarter of 2025.
Callback phishing
Cybercriminals are taking the sentiment “work smarter, not harder” to a whole other level with callback phishing scams, a vector that wasn’t even part of the equation last year In Q1 2025, it accounts for 16% of phishing attempts.
This is pertinent because link usage, which accounted for 75% of phishing attempts in Q1 2024, dropped by 42% in Q1 2025, making room for callbacks, which now account for nearly one in five attempts. Callback phishing is a social engineering attack where victims are tricked into calling a seemingly legitimate phone number through emails or texts to reveal sensitive information or download malware.
With email scanning technology now adept at spotting compromised links, cybercriminals are resorting to callback scams via emails that leave no trace at all.
SVG files are fast becoming cybercriminals’ favoured types of attachments (34%) for phishing attacks, coming a close second to PDF attachments (36%). By embedding the script tag of an SVG file with a malicious URL, attackers execute JavaScript when the link is opened in a web browser, redirecting the user to a compromised website. In doing so, they bypass anti-phishing defenses. The US is the most targeted region for such attacks, followed by Europe.
The backdoor-type malware, XRed, was responsible for the most malware attacks in Q1 2025, surpassing the second-most prominent malware family (Lumma) by a factor of three. StealC, AgentTesla, and Redline followed.
Cybercriminals shift from HTML to PDF
In Q1 2025, not only were 92% of all emails classified as spam, but 67% of those were categorised as malicious. The US is the leading source of spam emails, generating 57% of all spam sent, and receiving 75% of malicious emails. The UK and Ireland stand at 8% each for sending and receiving bad emails.
HTML attachments took up no more than 12% share of cybercriminals’ overall malspam strategy. With heightened awareness about the use of malicious HTML attachments, attackers are looking for less obvious methods, preferring PDFs and SVG files instead.
In Q1, Business Email Compromise (BEC) accounted for 37% of all email scam attacks. 73% of all BEC impersonation cases were instances of the CEO or other C-suite players being imitated. Because of the employee-employer power dynamic, making urgent, unexplained requests may be more plausible coming from higher up the hierarchy, as opposed to from a direct supervisor (9%) or even HR (4%).
The manufacturing sector remains the most targeted sector in the email threat landscape, holding its lead at 36% vis-à-vis the retail and financial sectors, which tie at second place, with each receiving 15% of attackers’ attention.
“There’s a clear shift in cybercriminals’ preference towards low-tech, high-impact, human-centric tactics. This demands a fundamental rethink of email security,” said Usman Choudhary, Chief Product and Technology Officer, VIPRE Security Group.
