URL-based threats become a go-to tactic for cybercriminals

Cybercriminals are using advanced social engineering and AI-generated content to make malicious URLs difficult for users to identify, according to Proofpoint.

Whether through email, text messages, or collaboration apps, URL-based threats now dominate the cyber threat landscape. Attackers are not just impersonating trusted brands, they are abusing legitimate services, tricking users with fake error prompts, and bypassing traditional security by embedding threats in QR codes and SMS messages.

Cybercriminals favor URLs over attachments

The gap between URLs and attachments for threat delivery has continued to grow in opposite directions over the past few years, with the volume of URLs far outweighing the volume of attachments. Over a six-month period in 2024–2025, researchers observed URL threats four times more often than attachments.

Cybercriminals favor malicious URLs over attachments, as they are easier to disguise and more likely to evade detection. These links are embedded in messages, buttons, and even inside attachments like PDFs or Word documents to entice clicks that initiate credential phishing or malware downloads.

Credential phishing is the main focus for attackers

ClickFix campaign volumes have increased by nearly 400% year over year, making it one of the most common URL-based techniques used by malware threat actors. ClickFix is a phishing technique that lures users into running malicious code by displaying fake error messages or CAPTCHA screens.

By exploiting the urge to resolve a perceived technical issue, this method has become a go-to tactic for malware operators, helping them spread remote access trojans (RATs), infostealers, and loaders.

Credential phishing remains the most prevalent goal for attackers, with 3.7 billion URL-based attacks aimed at stealing logins. Attackers are focused on stealing login credentials rather than distributing malware. With phishing lures that impersonate trusted brands and use off-the-shelf tools such as CoGUI and Darcula phish kits, even low-skilled actors can deploy highly convincing campaigns that bypass MFA and lead to full account takeover.

Mobile threats on the rise

Proofpoint identified over 4.2 million QR code phishing threats in the first half of 2025 alone. QR code-based attacks remove users from enterprise protections by leveraging personal mobile devices. Once scanned, these codes redirect users to phishing sites designed to harvest sensitive information such as credentials, credit card data, or personal identifiers, all under the guise of legitimacy.

Smishing campaigns jumped 2,534% as attackers shift focus to mobile devices. At least 55% of suspected SMS-based phishing messages analyzed contained malicious URLs. These often mimic government communications or delivery services and are particularly successful due to the immediacy and trust users place in mobile text messages, reflecting a shift toward mobile-first targeting by threat actors.

“The most damaging cyber threats today don’t target machines or systems. They target people. In addition, URL-based phishing threats are no longer confined to the inbox, they can be carried out anywhere and are often difficult for people to identify,” said Selena Larson, senior threat intelligence analyst at Proofpoint.

“From QR codes in emails and fake CAPTCHA pages to mobile-first smishing scams, attackers are weaponizing trusted platforms and familiar experiences to exploit human psychology. Defending against these threats requires multilayered, AI-powered detection and a human-centric security strategy,” concluded Larson.