Phishing 2025: Why It Still Fuels 60% of Cyber Attacks

The 2025 picture at a glance

Phishing is still the #1 way attackers break in. Fresh data shows it accounts for ~60% of initial intrusions in Europe, volumes are back near record highs, and AI is supercharging social-engineering across email and collaboration apps. The most targeted sectors map closely to NIS2 essential entities - public administration, transport, digital infrastructure and services, finance, and manufacturing (Enisa, 2025).

• Phishing = dominant entry point. ENISA’s Threat Landscape 2025 identifies phishing (including malspam, vishing, and malvertising) as ~60% of initial access vectors; vulnerability exploitation is a distant second at 21.3% (Enisa, 2025).
  
  
• Attack volumes are surging again. APWG logged 1,003,924 phishing attacks in Q1 2025 (the highest since late 2023) with a notable spike in QR-code (“quishing”) lures and a 33% rise in wire-transfer BEC attempts vs. the prior quarter (APWG, 2025).
  
  
• MSPs under heavy fire. In H1 2025, 52% of attacks on MSPs began with phishing (up from 30% in 2024). Nearly 1 in 4 attacks in collaboration apps involved AI-generated deepfakes or automated exploits (Acronis, 2025).
  
  
• EU sectors in the crosshairs. Public administration leads targeting in the EU (≈38%), followed by transport, digital infrastructure/services, finance, and manufacturing; 53.7% of incidents hit entities classed as essential under NIS2 (Enisa, 2025).
  

‍

Why phishing stays so effective

1. It attacks people, not just perimeters. Even as technical defenses improve, a convincing message or fake meeting invite can still capture credentials or MFA tokens, especially inside collaboration tools where trust is assumed. The Acronis H1 2025 data shows attackers shifting from RDP brute-force to social-engineering-first playbooks (Acronis, 2025).
   
   
2. AI scales persuasion. Readily available AI now crafts near-perfect brand impersonations, voice clones, and deepfakes that land via email, chat, or video calls. This aligns with ENISA’s observation that adversaries increasingly leverage AI for productivity and optimization of their operations (Enisa, 2025).
   
   
3. Channel diversification. Beyond classic email, attackers are moving to collab apps (Zoom, Monday.com, Asana, Teams), where security awareness is lower and context switching is constant. ~25% of collaboration-app attacks used deepfakes or automation.
   
   
4. Low cost, high reward. APWG’s Q1 2025 report highlights massive mail volumes and a resurgence of QR-based phishing that bypasses some link scanners and exploits mobile habits. Meanwhile, BEC wire-transfer attempts rose 33% in a single quarter (APWG, 2025).
   
   

What’s different in Europe right now

• Targets mirror critical services. ENISA’s 2025 analysis shows a tight overlap between the most attacked sectors and NIS2 essential entities, underscoring systemic risk: public administration (~38%), transport (~7.5%), digital infrastructure/services (~4.8%), finance (~4.5%), manufacturing (~2.9%). Overall, 53.7% of incidents involved essential entities. (Enisa, 2025)
  
  
• Phishing is the front door to ransomware. Ransomware remains a top business disruptor; phishing is frequently the initial access that enables payload delivery and lateral movement (Acronis, 2025).

The modern phishing toolkit (what to expect)

• AI-assisted BEC: tailored emails/chats with accurate org context, followed by fake CFO/CEO voice calls to pressure fast actions (Acronis, 2025).
  
  
• Collaboration-app lures: meeting invites, doc-share prompts, or ticket comments that lead to token theft or session hijacking.
  
  
• QR (“quishing”) campaigns: printable posters, shipping labels, or emails with QR codes that drive to credential sites or malware (APWG, 2025).
  
  
• Hybrid social engineering: multi-step workflows (email → chat → call) that blend vishing and deepfake media to bypass skepticism (Enisa, 2025).
  

What works in 2025 (beyond hygiene tips)

1. Simulate real manipulation, not just quizzes. Run multi-channel simulations (email, SMS, chat, vishing/deepfake calls) that mirror how attackers actually operate today. Track behavioral responses, not just click rates. (Aligned with the shift ENISA and Acronis describe toward social-engineering-driven operations.)
   
   
2. Protect the identity layer. Enforce phishing-resistant MFA (FIDO2/WebAuthn), conditional access, token binding, and robust session management, especially for collaboration suites.
   
   
3. Harden comms channels. Apply link-isolation/safe-view for docs, block external meeting auto-join, restrict OAuth app consent, and monitor for QR-code abuse in inbound content (APWG, 2025).
   
   
4. Detections that understand language. Use email and chat defenses with LLM-native detection for impersonation, intent, and anomalous payment requests - plus data-loss policies tuned to BEC patterns (APWG, 2025).
   
   
5. Prioritize EU-critical sectors. If you’re in public administration, transport, digital infrastructure/services, finance, or manufacturing, align your training and controls to current TTPs, and report under NIS2 as required (Enisa, 2025).

FAQ:

Isn’t phishing just an email problem?

Not anymore. In 2025, phishing is channel-agnostic and AI-amplified. It now thrives in the tools we use most (Teams, Slack, Zoom, project boards, and ticketing systems) and often culminates in ransomware, account takeover, or fraudulent payments. 

How is AI changing phishing attacks?

AI makes phishing faster, smarter, and more convincing. Attackers now automate entire campaigns, from writing emails to generating deepfake voices or videos. That’s why even well-trained employees are being tricked into trusting fake calls, chats, or meeting invites.

Can awareness training actually stop phishing?

Only if it mirrors reality. Static e-learning can’t prepare people for AI-driven attacks. Simulations that include deepfake voice calls, chat messages, and multi-step lures build real behavioral resilience, not just knowledge.

‍

‍