VIPRE’s Q2 2025 Email Threat Landscape Report — produced by VIPRE’s Malware Research Group — paints a worrying picture: email threats aren’t just becoming more targeted, they’re getting personal. Things have been heading this way for a while now, but Q2 2025 was the period when social engineering became attackers’ unequivocal weapon of choice. To make matters worse, phishing, business email compromise (BEC), and malware campaigns are all becoming increasingly customized and regionally nuanced.
Manufacturing and Retail Remain Under Siege
For the sixth consecutive quarter, the manufacturing sector was the most targeted vertical for email-based threats, accounting for 26% of observed attacks. Retail (20%) and healthcare (19%) followed close behind. Why? Because these industries face the unholy trinity of email threat susceptibility: high digital exposure, large workforces that can be generally apathetic towards information security, and complex supply chains.
When we consider the headline-grabbing breaches of the last few months, these findings should come as little surprise. In the UK alone, for example, retailers Marks and Spencer (M&S), Harrods, and Co-op all fell victim to major incidents throughout Q2.
Phishing Kits Decline, Custom Deployments Rise
While attackers do still use phishing kits like Evilginx and 16shop, VIPRE found that more than half (58%) of phishing sites analyzed in 2022 did not rely on recognizable kits. This shift is likely due to a pivot to obfuscated, custom-built infrastructure.
This shift is bad news. Phishing-as-a-Service tools have been a trusty workhorse for cybercriminals for years now. They allow even novice attackers to launch phishing attacks at scale. But they’re also easy to reverse engineer, trace, and catch. The same can’t be said for custom-built deployments. And now, with AI widely available, rookie cybercriminals can build those deployments easier than ever.
Callback Phishing Breaks into the Mainstream
A previously niche technique has exploded in popularity. Callback phishing – previously known as TOAD (telephone-oriented attack delivery) – now ranks as the third most prevalent phishing vector, responsible for 16% of all phishing activity in Q2.
Unlike typical phishing emails that rely on attachments or links, callback phishing lures users into calling a fake customer support number. Once on the line, attackers guide victims to malicious websites, collect sensitive details directly, or even convince users to make bank transfers. The problem for defenders here is that these attacks bypass many of the technical controls designed to scan incoming emails for dangerous payloads.
BEC Scams Target Scandinavia
BEC scams offer an enormous return on investment for attackers. In 2024, for example, British engineering firm Arup fell victim to a BEC scam involving deepfake technology to the tune of $25 million.
However, attackers are shifting their focus away from the English-speaking world and towards, somewhat surprisingly, Scandinavia. VIPRE found that Danish, Norwegian, and Swedish speakers were disproportionately targeted in BEC campaigns, with a staggering 38% of samples written in Danish.
This shift is concerning because it shows that attackers are doing their research. Although most people in these regions speak English, internal corporate communications are often in their native tongue. As such, these users are likely less suspicious of emails in these languages, and attackers can craft emails that closely resemble internal correspondence.
Again, we can likely attribute this increase in localization to AI. LLMs allow attackers to craft convincing BEC scams in almost any language at the click of a button. There’s a reason why phishing scams have increased 4,151% since the launch of ChatGPT.
Lumma Stealer: Malware Family of the Quarter
Infostealers remain a popular malware type, and Lumma Stealer was the leading family in Q2. Delivered primarily by PDF, DOCX, or HTML attachments, Lumma targets browser-stored credentials, crypto wallets, and system data. Attackers also distribute this malware family via phishing links hosted on compromised domains or cloud platforms, such as OneDrive.
Again, this shouldn’t come as a surprise. In May, Microsoft’s Digital Crimes Unit (DCU) filed a legal action against Lumma Stealer after it found nearly 400,000 Windows computers globally had been infected over the previous two months.
Shortly after, a coordinated operation led by Microsoft, the U.S. Department of Justice (DOJ), Europol, and other partners resulted in the seizure of over 2,300 malicious domains associated with Lumma Stealer. That said, we shouldn’t discount the malware family just yet. Shortly after the takedown, new domains were established. Additionally, the Malware-as-a-Service model allows cybercriminals to customize and deploy the malware independently.
We’ll have to wait for the Q3 2025 findings to see how effective the takedown was.
How to Combat Hyper-Personalized, AI-fueled Threats
This report confirms what many of us already knew: we’re entering the era of hyper-targeted, AI-fueled email threats. Whether it’s BEC, phishing, or malware, attackers are personalizing and localizing their methods with alarming efficiency.
Organizations must adjust their approach accordingly. Security awareness remains crucial, but it’s no longer enough to stop the most advanced threats. Email security tools must evolve to detect behavior anomalies, semantic red flags, and spoofed identities at machine speed.
Mark leads the Malware Research Group at VIPRE Security Group. With over 15 years in cybersecurity, he specializes in malware analysis, threat intelligence, and reversing emerging threats. He loves to break things and find loopholes in anything from malware to cybersecurity defences.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.