10 Email security threats changing cybersecurity defense in 2025

Email continues to be the primary target for cyberattacks, with security professionals facing unprecedented threats in 2025. According to Chuck Brooks, a global thought leader in cybersecurity, "87% of security professionals report that their organization has encountered an AI-driven cyber-attack in the last year." Recent data also reveals that an estimated 3.4 billion emails are sent daily by cyber criminals.

Real-world breach data show the severity of this threat. According to the 2025 mid-year email breach data reveals there's no slowing down: Insights from 107 email-related healthcare breaches reported by Paubox, there have been "107 email-related breaches so far in 2025, compared to 180 overall last year," with "52% of healthcare breaches on Microsoft 365, up from 43% in 2024." The financial impact is worth noting, as "according to the 2025 IBM Cost of a Data Breach report, the average cost of a healthcare breach is now $11 million—the highest of any industry for the 14th consecutive year."

According to the World Economic Forum's Global Cybersecurity Outlook 2025, "72% of respondents report an increase in organizational cyber risks, with ransomware remaining a top concern."

Cybersecurity in 2025: The Future of Threats and Defences states cyber-attacks have "only grown in complexity as attackers exploit six 'mega trends' in technology: artificial intelligence (AI), cloud computing, social media, software supply chains, the emergence of homeworking, and the Internet of Things (IoT)." As Chuck Brooks notes, "In 2025, cybersecurity is gaining significant momentum. However, there are still many challenges to address. The ecosystem remains unstable in spite of investments and the introduction of new tools." 

1. Deepfake audio and video manipulation in email campaigns

Attackers create audio and video content featuring executives, colleagues, or trusted partners to support fraudulent email requests. These multi-modal attacks combine traditional phishing emails with synthetic media that exploits psychological trust mechanisms.

An example from early 2024 demonstrates the potential of these attacks, cybercriminals used AI-powered deepfakes to pose as a multinational company's chief financial officer during a video call, successfully tricking a finance employee into transferring over $25 million to an offshore account. According to the Health Sector Cybersecurity Coordination Center (HC3), the attack began with a phishing email that initially raised some suspicion, but the deepfake video call provided the credibility needed to complete the fraud, highlighting how synthetic media increases compliance rates with fraudulent requests.

HC3 research indicates that vishing, smishing, and phishing attacks have increased by 1,265% since ChatGPT's launch in November 2022, with 76% of enterprises lacking sufficient voice and messaging fraud protection against AI-powered attacks. IBM's February 2024 research on using generative AI to "hijack" live audio conversations raises additional concerns about the potential for "modifying medical information in phone conversations."

According to 2025 Forecast: AI to supercharge attacks, quantum threats grow, SaaS security woes, industry experts predict that "by 2025, malicious use of multimodal AI will be used to craft an entire attack chain." This represents an evolution from isolated deepfake incidents to attack strategies that leverage multiple AI-generated media types throughout the entire campaign lifecycle.

According to the World Economic Forum's Global Cybersecurity Outlook 2025, "55% of CISOs polled during the Annual Meeting on Cybersecurity 2024 stated that deepfakes pose a moderate-to-significant cyberthreat to their organization." The report notes that "Accenture's research has noted a 223% rise in the trade of deepfake-related tools on dark web forums between Q1 2023 and Q1 2024."

A Cyber Defense Magazine report highlights this trend, noting that "2024 saw a significant rise in the use of Open-Source Intelligence (OSINT) and advanced data tools to create clone identities." This development makes verification challenging, as cybersecurity experts warn that "even traditional challenge-response methods may fail, as both the original and the clone are likely to provide accurate answers."

2. QR code phishing and mobile device exploitation

Attackers are now using QR code phishing to bypass traditional security measures. QR codes are being weaponized in emails and flyers, and once scanned, they redirect users to malicious phishing pages that harvest credentials.

According to Hooked: A Real-World Study on QR Code Phishing, this threat has escalated, with "the quarterly HP Wolf Security Threats Insight Report of Q4 2022 warned that QR code phishing has become an almost daily occurrence, especially when used to redirect users to malicious websites asking for credit and debit card details." The research demonstrates the effectiveness of these attacks, noting that "malicious actors thereby take advantage of generally weaker security protection on smartphones."

According to the Hooked article, research found that "the functionality and accessibility of a QR code was stated as the main reason (70.73%) for the use of QR codes by the participants," while "the second most common reason for using QR codes is curiosity (26.02%)." This curiosity-driven behavior, combined with the finding that "only 25.20% would not scan any QR code and 47.15% know countermeasures," reveals security awareness gaps even among technically-savvy users.

These attacks are effective because they bypass many URL filtering systems that focus on text-based link analysis. The mobile-centric nature of QR code interactions also means that corporate security policies and monitoring systems often have limited visibility into these compromise attempts.

3. Ransomware integration with email attack vectors

Cybersecurity leaders face challenges from AI-driven threats, expanding attack surfaces, identity vulnerabilities, ransomware evolution, regulatory pressures, and supply chain risks. According to Chuck Brooks, "A new report from Ivanti surveyed more than 2,400 security leaders and found that the top predicted threat for 2025 is ransomware. According to the report, nearly 1 out of every 3 security professionals (38%) believe ransomware will become an even greater threat when powered by AI."

Ransomware attacks begin with email campaigns that establish initial access before deploying encryption payloads weeks or months later. Brooks observes that "businesses are facing ransomware more frequently because of AI enabled phishing attacks combined with social engineering." Modern ransomware operators conduct research through email interactions, gathering intelligence about organizational structure, backup systems, and security measures before launching their primary attacks.

The scale of the threat is unprecedented. According to Chuck Brooks, "The fourth quarter of 2024 experienced the highest level of ransomware activity recorded in any prior quarter, with a total of 1,663 known victims posted on leak sites, according to that research. In addition, 55 new ransomware groups emerged last year — a 67% increase in group formation compared with 2023."

According to "Cybersecurity in 2025: The Future of Threats and Defences," organizations need "a clear pivot towards 'right of bang' thinking, shifting focus to what happens after an inevitable breach (the 'bang'), aiming to build resilience in the centre of business operations."

However, Brooks notes a concerning preparedness gap: "The report found a gap in preparedness for ransomware attacks, with only 29% of security leaders saying they are very prepared for ransomware incidents."

4. Business email compromise and executive impersonation

In what is known as Business Email or Business Communication Compromise (BEC/BCC), attackers deceive individuals in organizations in order to obtain money or sensitive information by spoofing, posing as trusted entities (e.g., CEO, supervisor, person of authority).

These attacks have evolved beyond simple email spoofing to include sophisticated social engineering that leverages detailed organizational intelligence. Attackers study communication patterns, reference real business relationships, and time their requests to coincide with legitimate business activities such as quarterly financial processes or vendor payments.

The challenge is made worse by organizational vulnerabilities. The Paubox report found that "IT leaders estimate only 5% of known phishing attacks are reported by employees to their security teams," highlighting a gap in threat detection and response capabilities.

The World Economic Forum's report notes that "nearly 60% of organizations state that geopolitical tensions have affected their cybersecurity strategy," with cyber espionage and loss of sensitive information becoming primary concerns for one in three CEOs.

5. Insider threats and data exfiltration through email

According to 2025 Forecast: AI to supercharge attacks, quantum threats grow, SaaS security woes, "the cost per malicious insider incident reached $715,366 in 2025, up from $701,500 in 2023, making them the most expensive types of insider threats." Insider threats manifest through various email-based activities, including unauthorized data sharing, credential compromise, and system access abuse.

The human factor remains a vulnerability. According to the Paubox report, "41% of healthcare providers said their teams have bypassed secure messaging at least once in the past year, prioritizing productivity over security." This behavior creates opportunities for both malicious insiders and external attackers who exploit these security gaps.

Industry experts predict that "nation-state actors will increasingly exploit AI-generated identities to infiltrate organizations" as noted in 2025 Forecast: AI to supercharge attacks, quantum threats grow, SaaS security woes. This emerging insider threat involves operatives who bypass traditional background checks using stolen credentials and fake profiles to secure roles within targeted companies.

6. Supply chain email compromise and vendor impersonation

With supply chain attacks, attackers inherit trust relationships and communication patterns to launch attacks. When vendors' email systems are compromised, attackers gain access to established business relationships, ongoing projects, and financial processes.

The Paubox report provides evidence of this threat, noting that "16% of email-related breaches in 2025 have involved business associates," including "several of the largest" incidents. This demonstrates how third-party vendors can introduce risks into organizational security postures.

According to the 2025 Forecast, "54% of large organizations identified supply chain challenges as the biggest barrier to achieving cyber resilience." The complexity of supply chains, coupled with a lack of visibility and oversight into the security levels of suppliers, has emerged as the leading cybersecurity risk for organizations.

The challenge for organizations lies in distinguishing between legitimate vendor communications and impersonation attempts. Traditional email security measures struggle with these attacks because they originate from trusted domains and reference real business relationships.

7. AI-enhanced phishing and social engineering

According to Chuck Brooks, "Agents are the talk of the AI industry—they're capable of planning, reasoning, and executing complex tasks like scheduling meetings, ordering groceries, or even taking over your computer to change settings on your behalf. But the same sophisticated abilities that make agents helpful assistants could also make them powerful tools for conducting cyberattacks. They could readily be used to identify vulnerable targets, hijack their systems, and steal valuable data from unsuspecting victims."

The operational burden on security teams is intensifying. The Paubox report reveals that "82% of IT and cybersecurity leaders say they worry about missing threats due to the overwhelming volume of alerts and data they face." This alert fatigue creates opportunities for AI-enhanced attacks to slip through organizational defenses.

As noted in Cybersecurity in 2025: The Future of Threats and Defences, "AI increases the speed, volume, and sophistication of cyber-attacks, making it easier for cybercriminals, it also offers powerful tools for defence, which can help analysts anticipate and respond to threats."

According to the 2025 Forecast, security experts predict that "GenAI accelerates general understanding of people, processes, and technologies — and that will spur elaborate attacks including sophisticated phishing emails, deep fakes, vishing, and more." This acceleration represents a shift in how attackers develop and deploy social engineering campaigns.

The World Economic Forum's Global Cybersecurity Outlook 2025 reveals that "47% of organizations cite adversarial advances powered by generative AI (GenAI) as their primary concern, enabling more sophisticated and scalable attacks." The report notes that "42% of organizations experienced a successful social engineering attack in the past year."

Industry research from Cyber Defense Magazine reveals a trend, stating that "we've seen an alarming increase in the use of generative AI by attackers, mirroring techniques that achieve 80% success rates in real world testing."

Attackers now use AI tools to analyze organizational communication patterns, craft personalized messages, and automate large-scale campaigns that adapt in real-time based on target responses. According to the World Economic Forum report, "While 66% of organizations expect AI to have the most significant impact on cybersecurity in the year to come, only 37% report having processes in place to assess the security of AI tools before deployment."

8. Configuration exploitation and cloud security gaps

As organizations adopt cloud email platforms, configuration management has become a vulnerability. Misconfigurations in cloud email environments create unintended access pathways that attackers actively exploit to gain persistent access without triggering traditional security alerts.

Real-world breach data confirms this vulnerability. According to the Paubox report, "79% of breached domains had ineffective DMARC protection, a major jump from 65% in 2024." This represents a configuration failure that attackers actively exploit.

The severity of this threat is confirmed by industry research. As noted by the Security Magazine article "Security leaders say cloud platform misconfiguration is the biggest threat," survey findings show that "misconfigurations rank as the primary cloud security concern, affecting 59% of respondents." This represents a vulnerability that extends beyond email systems to include entire cloud infrastructures.

Common vulnerabilities include overly permissive sharing settings, inadequate access controls, poorly managed third-party application integrations, and misconfigured mail flow rules. Security Magazine reports that "72% of respondents struggle with managing access to multiple security solutions, resulting in confusion and compromising cloud management security."

The impact of these configuration gaps is measurable and escalating. The Security Magazine article notes that the report indicates "a 48% increase in cloud-based network attacks in 2022 compared to the previous year," demonstrating how attackers are capitalizing on these management challenges. Furthermore, "24% of respondents reported experiencing public cloud-related security incidents, with misconfigurations, account compromises and exploited vulnerabilities being the most common incident types."

The operational burden adds to the security risk. According to Security Magazine, "26% of organizations have 20 or more security policies in place, leading to alert fatigue and hindering response teams' ability to effectively counter high-risk incidents." The distributed nature of cloud administration means that configuration changes can occur across different teams and time zones, making centralized oversight increasingly difficult.

9. Voice phishing integration and multi-channel attacks

According to the 2025 Forecast, "incident response teams identified vishing as the most common type of phishing in Q1 2025, accounting for over 60% of social engineering attacks." Modern attack campaigns increasingly combine email communications with voice calls, text messages, and other communication channels to create multi-layered social engineering approaches.

These integrated campaigns typically begin with emails that gather information about organizational structure and communication patterns. Attackers then use this intelligence to conduct convincing follow-up phone calls that reference email conversations and exploit the psychological impact of multi-channel validation.

The sophistication of these attacks lies in their ability to create false authentication through multiple touchpoints. An employee might receive a legitimate-looking email followed by a convincing phone call that references information from the email, creating a false sense of verification that traditional security awareness training hasn't adequately addressed.

10. Advanced persistent email reconnaissance

Modern email attacks rely on campaigns that operate for months before launching actual attacks. These persistent campaigns analyze organizational communication patterns, identify high-value targets, map business processes, and gather intelligence about security measures through seemingly innocuous email interactions.

The Paubox report noted that "according to OCR enforcement data, failure to conduct an adequate enterprise-wide risk analysis has been cited in more than 75% of HIPAA resolution agreements involving security incidents from 2020 to 2024." This regulatory data highlights how inadequate risk assessment creates opportunities for persistent reconnaissance activities.

These operations often involve automated analysis of email metadata, communication timing patterns, organizational hierarchy mapping, and identification of key decision-makers and financial processes. The intelligence gathered during these campaigns enables highly targeted attacks that exploit specific organizational vulnerabilities and business processes.

Read also: AI-powered email security

FAQs

How can small businesses protect themselves from AI-driven email threats?

They can adopt layered security tools, employee training, and strict authentication practices.

What role does employee awareness play in preventing deepfake-enabled attacks?

Employee skepticism and training remain the first line of defense against synthetic media fraud.

Why are mobile devices especially vulnerable to QR code phishing?

Smartphones often lack the same filtering and monitoring controls as desktop systems.

How can organizations prepare for ransomware launched through email campaigns?

Regular backups, incident response plans, and phishing detection tools reduce the impact of ransomware.

What makes business email compromise harder to detect than regular phishing?

It exploits trust, timing, and real communication patterns instead of obvious fake messages.