Customized phishing kits propagate; Scandinavia is a BEC target; Lumma Stealer is the top malware family; and favored persuasion and conversion tactics are revealed
LONDON, Aug. 4, 2025 /PRNewswire/ -- VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its email threat landscape report for Q2 2025. Through an examination of worldwide real-world data, this report sounds the alarm on the most significant email security trends observed in the second quarter of 2025, enabling organizations to develop effective email security defenses for the remainder of the year.
Unidentifiable phishing kit deployments
A striking 58% of phishing sites now use unidentifiable phishing kits. Cybercriminals are deploying unidentifiable phishing kits to propagate malicious campaigns at scale, indicating a trend towards custom-made or obfuscated deployments. These phishing kits can't easily be reverse-engineered, tracked, or caught. AI makes them affordable, too. Among the most prevalent are Evilginx (20%), Tycoon 2FA (10%), 16shop (7%), with another 5% attributed to other generic kits.
Manufacturing, not Retail, is the top target sector
For the sixth quarter in a row, the Manufacturing sector remains the prime target for cybercriminals. In Q2 2025, manufacturers faced the highest volume of email-based attacks - 26% of all incidents - encompassing BEC, phishing, and malspam threats. Retail follows, accounting for 20% of attacks, with Healthcare close behind at 19%, reflecting a consistent trend observed since last year and through Q1 2025.
BEC targets Scandinavia
Scandinavian countries, known for their sophisticated economies and digital infrastructures, have become prime targets for business email compromise (BEC) attacks. Cybercriminals are increasingly focusing on executives in this region, leveraging language and localization for greater effectiveness. While English-speaking executives remain the most targeted for BEC emails (42%), a significant portion are Danish (38%), with the Swedish and Norwegian comprising a combined 19%.
The strategic use of Danish (11.9%), Swedish (3.8%), and Norwegian (1.5%) languages in BEC scams highlights a growing trend toward regional targeting. Although English proficiency is high in Scandinavia, critical corporate communications - especially within HR, finance, and executive teams - often take place in native languages, making localized attacks more convincing.
Impersonation is the most common technique used in BEC scams, with 82% of attempts targeting CEOs and executives. The remaining impersonation efforts are aimed at directors and managers (9%), HR personnel (4%), IT staff (3%), and school heads (2%).
Lumma Stealer, the malware family of the quarter
Lumma Stealer is the most encountered malware family found in the wild during Q2. Analysis shows that it is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive.
Lumma Stealer is sold as Malware-as-a-Service (MaaS), making it accessible to a broad range of cybercriminals. With active developer support and low cost, it is proving attractive to both novices and experienced cybercriminals.
Top bait, hook, and reel-in tactics
Financial lures representing 35% of the samples - emails regarding money, financial errors, fiduciary imperatives, and such - are the number one ploy used by cybercriminals to get users to open malicious emails. Urgency-based messaging (25%) is the second most tried approach, followed by account verification and updates (20%), travel-themed messages (10%), package delivery (5%), and legal or HR notices (5%).
For phishing delivery, the majority (54%) of cybercriminals leveraged open redirect mechanisms, with legitimate-looking links hosted on marketing services, email tracking systems, and even security platforms to mask the true malicious destination. Compromised websites (30%) are the next most prevalent link delivery method, followed by the use of URL shorteners (7%).
While PDFs (64%) remain the preferred vehicle for delivering malicious attachments, an increasing number now feature embedded QR codes designed to carry out attacks.
Finally, cybercriminals are finishing off their attacks with various exploitation mechanisms, the most observed being HTTP POST to remote server accounting (52%) and email exfiltration (30%).
"It's clear what the threat actors are doing - they are outsmarting humans through hyper-personalized phishing techniques using the full capability of AI and deploying at scale," Usman Choudhary, Chief Product and Technology Officer, VIPRE Security Group, says. "Organizations can no longer rely on standard cybersecurity processes, techniques, and technology. They need comprehensive and advanced email security solutions that can help them to deploy like-for-like defenses - at the very least - if not help them stay a step ahead of the tactics used by cybercriminals."
To read the full report, click here: Email Threat Trends Report: 2025: Q2
VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.
About VIPRE Security Group
VIPRE Security Group, part of Ziff Davis, Inc., is a leading provider of internet security solutions purpose-built to protect businesses, solution providers, and home users from costly and malicious cyber threats. With over 25 years of industry expertise, VIPRE is one of the world's largest threat intelligence clouds, delivering exceptional protection against today's most aggressive online threats. Our award-winning software portfolio includes next-generation antivirus endpoint cloud solutions, advanced email security products, along with threat intelligence for real-time malware analysis, and high-quality security awareness training for compliance and risk management. VIPRE solutions deliver an easy-to-use, comprehensive layered defense through cloud-based and server security, with mobile interfaces that enable instant threat response. VIPRE is a proud Advanced Technology Partner of Amazon Web Services, operating globally across North America and Europe.
The group operates under various brands, including VIPRE®, StrongVPN®, IPVanish®, Inspired eLearning®, Livedrive®, and SugarSync®. www.VIPRE.com
View original content:https://www.prnewswire.co.uk/news-releases/cybercriminals-abandon-tech-tricks-for-personalized-deception-tactics-vipres-q2-2025-email-threat-report-reveals-302518924.html
