Cybercriminals are getting personal, and it’s working

Cybercriminals are deploying unidentifiable phishing kits (58% of phishing sites) to propagate malicious campaigns at scale, indicating a trend towards custom-made or obfuscated deployments, according to VIPRE Security.

These phishing kits can’t easily be reverse-engineered, tracked, or caught. AI makes them affordable, too. Among the most prevalent are Evilginx (20%), Tycoon 2FA (10%), 16shop (7%), with another 5% attributed to other generic kits.

Manufacturing is the top target sector

For the sixth quarter in a row, the manufacturing sector remains the prime target for cybercriminals. In Q2 2025, manufacturers faced the highest volume of email-based attacks, 26% of all incidents, encompassing BEC, phishing, and malspam threats. Retail follows, accounting for 20% of attacks, with healthcare close behind at 19%, reflecting a consistent trend observed since last year and through Q1 2025.

Manufacturing faced the highest number of email-based attacks in Q2 2025, which fits with its overall rise in cyberattacks.

According to the 2025 Verizon Data Breach Investigations Report, phishing was the entry point in 16% of cases. Credential theft led with 22%, followed by vulnerability exploitation at 20%.

While phishing may not be the top method on paper, it often plays a major role in how attackers steal credentials in the first place. This means its impact is larger than it may appear.

By focusing on reducing email-based threats, manufacturers could lower their overall risk of cyber compromise.

BEC targets Scandinavia

Scandinavian countries, known for their sophisticated economies and digital infrastructures, have become prime targets for business email compromise (BEC) attacks. Cybercriminals are increasingly focusing on executives in this region, leveraging language and localisation for greater effectiveness. While English-speaking executives remain the most targeted for BEC emails (42%), a significant portion are Danish (38%), with the Swedish and Norwegian comprising a combined 19%.

The strategic use of Danish, Swedish, and Norwegian languages in BEC scams highlights a growing trend toward regional targeting. Although English proficiency is high in Scandinavia, critical corporate communications, especially within HR, finance, and executive teams, often take place in native languages, making localised attacks more convincing.

Impersonation is the most common technique used in BEC scams, with 82% of attempts targeting CEOs and executives. The remaining impersonation efforts are aimed at directors and managers, HR personnel, IT staff, and school heads.

Malware family of the quarter

Lumma Stealer is the most encountered malware family found in the wild during Q2. Analysis shows that it is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive.

Lumma Stealer is sold as Malware-as-a-Service (MaaS), making it accessible to a broad range of cybercriminals. With active developer support and low cost, it is proving attractive to both novices and experienced cybercriminals.

How attackers lure us in?

Financial lures representing 35% of the samples, emails regarding money, financial errors, fiduciary imperatives, and such, are the number one ploy used by cybercriminals to get users to open malicious emails. Urgency-based messaging is the second most tried approach, followed by account verification and updates, travel-themed messages, package delivery, and legal or HR notices.

For phishing delivery, 54% of cybercriminals leveraged open redirect mechanisms, with legitimate-looking links hosted on marketing services, email tracking systems, and even security platforms to mask the true malicious destination. Compromised websites (30%) are the next most prevalent link delivery method, followed by the use of URL shorteners (7%).

While PDFs (64%) remain the preferred vehicle for delivering malicious attachments, an increasing number now feature embedded QR codes designed to carry out attacks.

Finally, cybercriminals are finishing off their attacks with various exploitation mechanisms, the most observed being HTTP POST to remote server accounting (52%) and email exfiltration (30%).

“Threat actors are outsmarting humans through hyper-personalised phishing techniques using the capability of AI and deploying at scale,” said Usman Choudhary, Chief Product and Technology Officer, VIPRE Security Group.