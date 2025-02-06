Phishing up almost 50 percent since 2021 with AI attacks on the rise

The latest Phishing Trends Report from Hoxhunt -- based on a global sample size of 2.5 million email users, 50 million phishing simulations, and millions of real phishing attacks -- shows a 49 percent increase in phishing since 2021, driven partly by the rise of blackhat AI.

Among the findings are that between 0.7 percent and 4.7 percent of reported phishing attempts are written by AI. This may seem low but to put it into context numbers of AI phishing attempts were negligible six months earlier. Highly targeted, AI-enabled spear phishing attacks with multiple links in the kill chain are on the rise.

The report finds that per 1000 person organization 2,330 total phishing attempts bypass filters annually and there are 466 malicious clicks over the same period.

Mika Aalto, co-founder and CEO of Hoxhunt says, "We've never had a baseline for how many phishing attacks truly bypass filters until now. There’s always been a lot of assumption that goes into what types and volumes of threats people are actually facing, especially in the age of AI. The 2025 Phishing Trends Report bridges that data gap, giving CISOs a clear benchmark to shape more effective, people-centered defense strategies."

The three most common impersonations used in phishing attacks are Microsoft, Docusign and human resources departments. In Microsoft phishes targets are usually told their account or multi-factor authentication is expiring. Docusign messages involve the recipient being asked to review and sign documents. In HR attacks the recipient is most commonly asked to review salary and vacation plans, arousing curiosity and instilling a sense of urgency with time-sensitive actions that must be taken, benefits, and consequences.

The good news is that it's verifiably possible to improve email behavior. The findings show clear real-world impact on risk reduction when phishing training is based on behavior. Employees can be trained to recognize and report social engineering attacks with a six times improvement in six months, and reduce the number of phishing incidents per organization by 86 percent, while significantly accelerating SOC response.

You can get the full report on the Hoxhunt site.

Image credit: thodonal/depositphotos.com

