In the cybersecurity industry, we tend to look forward. And for good reason: cybersecurity is one of the fastest-moving, most dynamic fields out there. Staying in the fight against cybercriminals relies utterly on not just keeping up with the latest trends, but also anticipating them. However, sometimes, predicting the future relies on looking to the past. As the adage goes, to know your future, you must know your past.
With this in mind, VIPRE Security Group recently released their latest annual email threat landscape report, titled “Email Security in 2025: What to Expect from the Evolving Threat Landscape.” Drawing insights from the billions of emails VIPRE processed in 2024, the report offers a comprehensive view of last year’s email security threats to help us make sense of the year ahead. So, without further ado, let’s dive in.
Spam, Spam, and More Spam
It will come as little surprise to anyone with a functioning email address, but there was a lot of spam in 2024. In fact, nine out of ten emails received last year were categorized as spam. Arguably more concerning, however, was that so many of these spam emails were brand new. VIPRE detected 118,557 never-seen-before spam emails, which fell into the following categories:
- Commercial: 37%
- Scam: 32%
- Phishing: 21%
- Malware: 9%
- Others: 1%
Although commercial spam came out on top, the real story here is that most spam (62%) is actively malicious, the same as last year. Commercial spam, while a nuisance, doesn’t really pose a threat to users or organizations; scams, phishing emails, and malware, however, do. In terms of what this means for email security in 2025, it drives home the importance of vigilance when it comes to spam emails. Remember: spam isn’t just a nuisance; more often than not, it’s an active threat.
Dysfunctional Malware Families and Infostealing Cybercriminal Hearts
2024’s top malware families (and, hence, the families to watch out for in 2025) – PikaBot (Q1), IceID (Q2), and Redline (Q3 and Q4) – caused an extraordinary amount of damage last year and will likely continue wreaking havoc this year. What’s more interesting, however, is that most of the top malware received in 2024 were infostealers and Remote Access Trojans (RATs).
Google has already identified infostealers as a major threat in 2025, and VIPRE’s report seems to support this claim. Infostealers, as the name suggests, steal sensitive information – like login credentials, personally identifiable information (PII), and intellectual property (IP) – from computer systems. As such, they can have massive consequences for victim organizations, typically in the form of regulatory fines.
Fortunately, protecting against infostealers is no different from protecting against any other form of malware: implementing security awareness training, multi-factor authentication (MFA), and endpoint detection and response (EDR) will ward off the vast majority of infostealing campaigns.
The BEC Behemoth
And that brings us to the big one: BEC scams. Business email compromise (BEC) scams involve cybercriminals impersonating company executives or vendors via email to trick employees into transferring funds, clicking malicious links or attachments, or handing over sensitive information. They play a huge role in the email threat landscape: the FBI’s Internet Crime Report revealed that BEC accounted for over $2.9 billion in 2023, 49 times the losses associated with ransomware, while VIPRE’s report shows they accounted for 70% of all scam emails in Q4 2024.
But that’s not all; VIPRE’s report also offers insight into how BEC scammers work. The vast majority (88%) of BEC scams involve impersonation tactics, followed far, far behind by diversion, email hijacking, and account takeover, in that order. The takeaway here is that, in 2025, we can’t trust emails, even if they appear to come from trusted people.
Remember, BEC scams can have catastrophic consequences. In 2024, a Singaporean company inadvertently sent $42.3 million to a fake supplier. While INTERPOL recovered the funds, the scam exemplified the potential damage these scams can cause.
Last Year’s Phishing Phrases
Perhaps the most actionable insight in the entire VIPRE report – at least for the consumer – is its list of 2024’s most common phishing phrases. While we might think we know how to spot a phishing scam, there are a few phrases in the list that might surprise you. Here’s the top five:
- CLICK HERE to upgrade
- Please Access Your Account to review it
- Sign-in activity review
- New voicemail received!
- Your subscription is about to expire!
Ultimately, if you receive an email containing any of the above phrases (or any of the others on the list), you’re likely being phished, so act with caution.
Looking Ahead
The key takeaway here is that the email security threat isn’t going away. In fact, cybercriminals are getting better at what they do. Hopefully, the information above will help you and your organization stay safe in the year to come. Happy emailing!
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.