VIPRE’s Q2 2025 Email Threat Report Reveals Cybercriminals Abandon Tech Tricks for Personalized Deception Tactics

VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its email threat landscape report for Q2 2025.

Through an examination of worldwide real-world data, this report sounds the alarm on the most significant email security trends observed in the second quarter of 2025, enabling organizations to develop effective email security defenses for the remainder of the year.

Unidentifiable phishing kit deployments 

A striking 58% of phishing sites now use unidentifiable phishing kits.  Cybercriminals are deploying unidentifiable phishing kits to propagate malicious campaigns at scale, indicating a trend towards custom-made or obfuscated deployments. These phishing kits can’t easily be reverse-engineered, tracked, or caught. AI makes them affordable, too. Among the most prevalent are Evilginx (20%), Tycoon 2FA (10%), 16shop (7%), with another 5% attributed to other generic kits.

Manufacturing is the top target sector

For the sixth quarter in a row, the manufacturing sector remains the prime target for cybercriminals. In Q2 2025, manufacturers faced the highest volume of email-based attacks – 26% of all incidents – encompassing BEC, phishing, and malspam threats. Retail follows, accounting for 20% of attacks.

Healthcare is close behind at 19%, reflecting a consistent trend observed since last year and through Q1 2025.

English-speaking executives remain the most targeted for BEC emails (42%), a significant portion are Danish (38%), with the Swedish and Norwegian comprising a combined 19%. Critical corporate communications – especially within HR, finance, and executive teams – often take place in native languages, making localized attacks more convincing.

Impersonation is the most common technique used in BEC scams, with 82% of attempts targeting CEOs and executives. The remaining impersonation efforts are aimed at directors and managers (9%), HR personnel (4%), IT staff (3%), and school heads (2%).

Lumma Stealer, the malware family of the quarter

Lumma Stealer is the most encountered malware family found in the wild during Q2. Analysis shows that it is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive.

Lumma Stealer is sold as Malware-as-a-Service (MaaS), making it accessible to a broad range of cybercriminals. With active developer support and low cost, it is proving attractive to both novices and experienced cybercriminals.

Top bait, hook, and reel-in tactics

Financial lures representing 35% of the samples – emails regarding money, financial errors, fiduciary imperatives, and such – are the number one ploy used by cybercriminals to get users to open malicious emails. Urgency-based messaging (25%) is the second most tried approach, followed by account verification and updates (20%), travel-themed messages (10%), package delivery (5%), and legal or HR notices (5%).

For phishing delivery, the majority (54%) of cybercriminals leveraged open redirect mechanisms, with legitimate-looking links hosted on marketing services, email tracking systems, and even security platforms to mask the true malicious destination. Compromised websites (30%) are the next most prevalent link delivery method, followed by the use of URL shorteners (7%).

While PDFs (64%) remain the preferred vehicle for delivering malicious attachments, an increasing number now feature embedded QR codes designed to carry out attacks.

Finally, cybercriminals are finishing off their attacks with various exploitation mechanisms, the most observed being HTTP POST to remote server accounting (52%) and email exfiltration (30%).

“It’s clear what the threat actors are doing – they are outsmarting humans through hyper-personalized phishing techniques using the full capability of AI and deploying at scale,” Usman Choudhary, Chief Product and Technology Officer, VIPRE Security Group, says. “Organizations can no longer rely on standard cybersecurity processes, techniques, and technology. They need comprehensive and advanced email security solutions that can help them to deploy like-for-like defenses – at the very least – if not help them stay a step ahead of the tactics used by cybercriminals.”

To read the full report, click here: Email Threat Trends Report: 2025: Q2

VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.