Redazione RHC : 19 August 2025 11:57
Proofpoint has released the second volume of its annual study “Human Factor 2025“, focusing on phishing and URL-based attacks. Analysis of data from May 2024 to May 2025 shows that attackers are increasingly using social engineering in combination with links, which have become the primary vector for attacking users.
According to statistics, links were encountered four times more often than attachments with malicious content. Over 55% of SMS messages with phishing traces contained a URL, and the number of campaigns using the ClickFix technique increased by nearly 400% in one year. In total, researchers recorded 3.7 billion attempts to steal credentials using malicious links, compared to 8.3 million attempts to distribute malware, confirming that attackers’ primary goal today is compromising accounts.
Particularly concerning is the growing number of attacks using legitimate services. Attackers disguise malicious URLs as documents on OneDrive or Google Drive and also create fake authorization pages that are indistinguishable from the real ones. The widespread use of generative AI models allows them to infinitely refine phishing email templates, increasing their persuasiveness.
Among the main tools are ready-made phishing kits such as CoGUI and Darcula. The former is actively used by Chinese-speaking groups and primarily targets users in Japan, while the latter is used in SMS attacks, often posing as messages from government agencies or postal companies. Both tools can bypass protection and even intercept MFA codes.
One of the most notable trends has been the spread of the ClickFix program. The victim is shown a fake error window or CAPTCHA, prompting them to manually execute commands. This installs RATs, infostealers, and downloaders on the device. ClickFix campaigns have become common practice, used by both financially motivated groups and state actors.
Separately, experts note the growth of mobile attacks. According to the report, in 2024, the number of URL threats in SMS messages increased by 2534%. In 2025, at least 55% of phishing SMS messages contained links, and 75% of organizations confirmed experiencing such attacks. The main attacks are traffic ticket fraud and fake delivery notifications.
QR code phishing attacks are also gaining ground. In the first six months of 2025 alone, Proofpoint identified nearly 4.2 million cases of QR code abuse. This vector is convenient for criminals, as it allows them to bypass email gateway filters: the victim scans the code on a smartphone and ends up on a fake site to steal passwords or credit card information.
The report concludes that the most destructive attacks today are not aimed at systems, but at people. Such campaigns can’t succeed without a user click, which means the main line of defense is protecting all communication channels: from business emails to instant messaging and SaaS services. Proofpoint recommends multi-layered AI solutions capable of detecting even the slightest signs of phishing in any digital stream.
Redazione