Phishing in 2025: How Cybercriminals are Getting Smarter

October 14, 2025

As we near the end of the year, it’s a good time to take a deep look at one of the most persistent and evolving threats from 2025: phishing. What we saw this year was far more sophisticated than the “you’ve won a prize” spam of old. For organizational leaders, understanding how phishing is changing is key to staying ahead of attackers.

Why Phishing Remains a Top Threat

Phishing is still one of the most common ways that attackers gain initial access. According to Verizon’s 2025 Data Breach Investigations Report, phishing and pretexting are among the leading causes of costly data breaches. SMBs are often targeted nearly four times more than larger organizations.
  • Small businesses receive malicious emails at a rate of 1 in 323 on average.
  • Phishing email volume has surged, with reports showing a 1,265% increase driven by generative AI capabilities.
  • Phishing campaigns are no longer restricted to email alone — about 40% of campaigns now extend across multiple channels such as SMS (smishing), collaboration platforms, or even QR-based attacks (quishing).
These evolving tactics allow attackers to bypass legacy defenses, exploit user trust, and reach into varied communication channels like Microsoft Teams, Slack, social media, and texting.

Key Trends in Phishing for 2025

  • AI-Enhanced Lures and Personalization Attackers can now use large language models (LLMs) and publicly available data to craft hyper-targeted and human-like phishing messages. This reduces obvious red flags and increases click-through rates.
  • Quishing and QR Exploits QR codes embedded in emails or physical signage are being weaponized to redirect users to malicious landing sites.
  • Multi-Channel Phishing Phishing is no longer just email-based. Voice phishing (vishing), text-based phishing (smishing), and phishing via collaboration tools like Teams and Slack are increasing. Voice cloning is also creeping into vishing attacks.

Why SMBs Are Particularly Vulnerable

Several conditions make small and mid-sized organizations more exposed to phishing threats:
  • Fewer security resources — many SMBs lack dedicated security teams and rely on generalist IT or outsourced support.
  • Limited threat visibility — less investment in advanced detection, monitoring, or anomaly analytics.
  • More trusting culture — smaller teams often move fast, share access, and skip formal review or gating of requests.
  • Underinvestment in training — while most know of phishing risks, many SMBs either don’t act or use superficial training.
  • Bridging digital growth and security gaps — adopting cloud tools, remote access, and collaboration platforms expose more credentials that attackers can exploit.

Steps You Can Take Right Now

  • Deploy a specialized phishing simulation campaign tailored to your business profile.
  • Introduce microlearning “phishing tip of the week” reminders via internal email or chat to keep awareness top of mind.
  • Audit your Multi-Factor Authentication setup. Disable weaker forms and shift to more resilient options like authenticator apps and hardware tokens.
  • Run a “request verification drill” for internal teams so they know to validate unusual requests before compliance.
  • Review logs for unfamiliar login sources, failed login spikes, or new device enrollments.
  • Update your incident response playbook to specify how to respond to suspected phishing incidents explicitly.

Partnership Makes This Easier

Dealing with modern phishing at scale requires both technology and process — not just one or the other. A trusted IT Adviser and Managed Service Provider like us at FIT Technologies can help by:
  • Rolling out advanced email protection and URL filtering
  • Designing and managing ongoing phishing simulation programs that adapt over time
  • Advising on phishing-resistant MFA, access policies, and account hygiene
  • Monitoring for abnormal login or credential misuse patterns
  • Executing rapid incident response when a phishing event is detected
Phishing in 2025 wasn't just about user error — it was about sophisticated threat orchestration, multi-channel tactics, and AI tools built to trick us. But with awareness, layered defense, and proactive processes, you can make your organization a much stronger target in the future. Contact FIT →
Matt

Contributor

Matt Skrajner

Matt joined the marketing team at FIT Technologies in 2020. When not cheering on Cleveland and Ohio sports teams, he enjoys spending time with his family, exploring Geauga County parks, watching TV, and playing video games.

Related Posts

View More