Callback phishing jumps 500%, cybercriminals turn trust and legitimacy against organizations
LONDON, Feb. 4, 2026 /PRNewswire/ -- VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, releases its Q4 2025 Email Threat Trends Report. Processing and analyzing 1.5 billion emails and half a million spam messages, this report spotlights the major email security threats that surfaced in Q4 2025. Predicting the threat trends that will be dominant in 2026, the report's findings intend to assist organizations in fortifying their email defenses against the ever-evolving techniques used by cybercriminals to bypass conventional security systems.
Callback phishing jumps 500%
During Q4 2025, callback phishing scams experienced a resurgence, rising from just 3% to a substantial 18% of all phishing incidents. This represents a remarkable 500% spike and underscores a notable shift back toward leveraging direct human interaction as a key tool for manipulation.
Work fraud delivers success
Business Email Compromise (BEC) consistently remains a powerhouse for cybercriminals across the broader phishing threat landscape. Accounting for 51% of all email fraud cases, BEC's ongoing prevalence highlights that corporate environments often lack robust protection.
Security measures backfire
Cyber attackers are weaponizing the very security features designed to protect organizations. Q4 2025 saw a noticeable uptick in the use of tools like CAPTCHAs and 'I am not a robot' checks to block automated security scanners. Cybercriminals are pairing these tactics with sophisticated fake login screens to steal credentials, evade detection, and trick users into believing they're interacting with secure, legitimate sites.
Trusted brands becoming a risk factor
Attackers are playing the trust game strategically. In Q4 2025, compromised accounts were the number one source of spam emails. Cyber criminals take over legitimate sites, such as Microsoft, to distribute malicious emails under the guise of trusted domains. Likewise, in Q4 2025, attackers increasingly relied on trusted cloud and developer platforms, including Dropbox, Amazon Web Services, and Bitbucket, to host and deliver malicious files.
Well-known brands don't arouse suspicions, but maybe they should.
Impersonation is the dominant BEC email type
Impersonation continues to be the leading form of BEC emails, making up 82% of all BEC incidents for yet another quarter. The remaining 18% are attributed to diversion tactics, such as fraudulent invoices or fake payroll requests.
In Q4 2025, CEOs and senior executives were the top targets for impersonation in BEC attacks, accounting for 50% of impersonation-based BEC emails, or 41% of total BEC incidents. These scams target smaller companies that have flat, close-knit organizational structures. In such environments, it is not uncommon for a senior executive, like the CEO, to directly request an action such as a fund transfer.
Legitimate file naming conventions, urgency-driven subject lines
Threat actors commonly used file naming conventions that resembled legitimate business and personal documents, such as salary and payroll files, invoice-related documents, employee appraisals, incentive and bonus documents, and so on.
Similarly, BEC email subject lines were crafted to convey a sense of urgency, encourage immediate replies, and enable financial exploitation, such as "make this a priority", "paycheck updated", "account information change required", and so forth.
"The Q4 2025 data reveals a troubling evolution in the strategy being adopted by cybercriminals - the systematic weaponization of trust,"Usman Choudhary, General Manager, VIPRE Security Group, says. "Criminals are undoubtedly exploiting technical vulnerabilities, but they are also exploiting human confidence in the familiar - be that impersonating a trusted supervisor or executive, mimicking reputable companies and household brands, or hiding behind enterprise security protocols. They are targeting 'trust'. Their approach demands that we rethink how we identify and authenticate interactions and security strategies across every communication and business channel."
Email security threats and techniques to watch out for in 2026
Expect more personalised and AI-driven BEC attacks, with finance and HR as top targets. Threat actors will leverage social engineering based on recent transactions, HR communications, and payroll updates.
Financial officers or employees with direct access to C-level executives should remain especially vigilant, as their proximity to such individuals makes them prime targets for these sophisticated impersonation schemes.
PDF and Office files will continue to dominate in attachment-based phishing attacks. Tactics will evolve through cloud-based and hybrid delivery of attachments. Hybrid attacks combining images and scripts to evade sandbox detection will increase, while cloud-hosted file links from trusted platforms like OneDrive and Google Drive will replace traditional attachments to bypass email scanners.
Link-based phishing with short-lived or AI-generated landing pages will increase. Organizations will see an increased use of AI-generated phishing pages for credential theft, a rise in multi-step phishing campaigns where initial phishing emails collect data to trigger later high-value attacks, and trusted domains being used and exploited.
Deepfake technology and AI-assisted threats will significantly increase the realism of phishing campaigns, while supply chain exploitation through fraudulent invoices and payment notifications from compromised vendor accounts is expected to surge. Malicious actors will increasingly manipulate or obscure email metadata, including spoofed sender identities, envelope sender information, and routing headers, to evade security controls. While legacy headers such as X-Origin-IP and custom routing headers may appear in some messages, attackers more commonly exploit weaknesses in sender authentication, header consistency, and trust relationships to sidestep detection and increase campaign credibility.
Anticipate a rise in visual deception tactics such as the use of fake login windows to steal user credentials - alongside the exploitation of CAPTCHA-based verification - to evade automated security checks to reach users.
To read the full report, click here: VIPRE Email Threat Trends Report: Q4 2025
VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.
About VIPRE Security Group
VIPRE Security Group, part of Ziff Davis, Inc., is a leading provider of internet security solutions purpose-built to protect businesses, solution providers, and home users from costly and malicious cyber threats. With over 25 years of industry expertise, VIPRE is one of the world's largest threat intelligence clouds, delivering exceptional protection against today's most aggressive online threats. Our award-winning software portfolio includes next-generation antivirus endpoint cloud solutions, advanced email security products, along with threat intelligence for real-time malware analysis, and high-quality security awareness training for compliance and risk management. VIPRE solutions deliver an easy-to-use, comprehensive layered defense through cloud-based and server security, with mobile interfaces that enable instant threat response. VIPRE is a proud Advanced Technology Partner of Amazon Web Services, operating globally across North America and Europe.
The group operates under various brands, including VIPRE, StrongVPN, IPVanish, Inspired eLearning, Livedrive, and SugarSync. www.VIPRE.com
View original content:https://www.prnewswire.co.uk/news-releases/cybercriminals-key-attack-vector-is-trust-vipres-q4-2025-email-threat-report-reveals-302678821.html
