Scammers, confidence men, swindlers. Whatever you call them, for all of human history, people have made a living cheating others out of their hard-earned possessions. While that’s never going to change, their tactics, however, always will.
In Q4 2025, email scammers doubled down on a strategy that has worked for millennia: exploiting trust. These tricksters aren’t trying to hide; they’re trying to convince you they’re someone they’re not.
From taking over trusted accounts, to impersonating CEOs, to even weaponizing security tools against us, VIPRE’s Email Threat Trends report for Q4 2025 reveals that attackers have ushered in a new era. The Trust Exploitation Era. Trust is the new attack surface.
Trust Turned Against You: Compromised Accounts Drive Phishing
Educating staff to identify phishing emails typically involves advising users to scrutinize the sender’s domain. If the domain is unfamiliar or appears suspicious, the user should report the email. However, a significant challenge arises when spoofed emails originate from genuine domains.
That’s the reality we now face. In Q4 2025, compromised accounts were the number one source of spam emails. That means attackers are sending phishing emails from trusted brands, and avoiding suspicion as a result.
Not only do emails from trusted domains successfully bypass human defenses, but they can also slip past traditional spam filters. This serves as a strong signal that an email security upgrade may be necessary.
What’s more, we’ve seen examples of how effective these tactics can be.
In January 2026, for example, attackers breached employee email accounts, then sent phishing emails from those accounts with SharePoint links that led to credential-harvesting pages. Recipients trusted the sender because the email actually came from a colleague, and many entered login details that then gave the attackers deeper access.
Executive Impersonation: The New Normal in BEC
Emails from colleagues or your boss are often more convincing than those from trusted brands. This is precisely why Business Email Compromise (BEC) was the dominant threat on the email landscape in Q4 2025, constituting 51% of all email scams.
More interesting, however, is how attackers conducted those scams. Impersonation accounted for 82% of Q4 BEC cases, and attackers impersonated CEOs in 20% of malicious emails. Whatever way you slice it, that’s a crazy statistic. It’s rare that attackers settle on a single tactic – namely, CEO fraud – so universally.
So why is it that attackers have taken to CEO impersonation in such a way? Because AI has made it much, much easier. AI tools can scrape the internet for information about a CEO, their personality, their employment history, even their writing style, and craft a convincing phishing email in seconds. That means no more tell-tale spelling or grammar mistakes. And all this can be done on an unprecedented scale.
BEC is a threat that sidesteps typical email defenses, as it doesn’t rely on malicious links or attachments. Instead, sophisticated, potentially AI-powered scammers leverage BEC to directly manipulate employees into divulging sensitive information like credentials, granting access, or transferring funds. This tactic is effective because a standard spam filter cannot detect or block this type of social engineering attack.
The Human Factor Returns: Callback Phishing’s 500% Surge
Q4 also saw the return of a relatively old-school tactic: callback phishing. This is where an attacker prompts victims to initiate contact via phone numbers embedded in emails and attachments. Once they have their mark on the phone, the scammer uses traditional confidence tricks to gain remote access to the user’s account, distribute malware, and/or steal data from their network.
In Q4 2025, these scams jumped 500%, up from just 3% to 18% of all phishing activity. And, again, we’ve seen some pretty high-profile instances of callback phishing in the headlines. In January 2026, attackers began leveraging Microsoft Teams notifications to trick victims into dialling fake support lines.
And once again, just like compromised accounts and BEC, callback phishing is an excellent way to bypass traditional email security. If attackers don’t embed malware into an email’s text, link, or attachment, most spam filters aren’t going to flag that email as a threat.
When Security Tools Become Weapons
Finally, we see attackers exploiting the security tools we trust most.
In Q4 2025, attackers used human verification systems like CAPTCHAs, Cloudflare, and “I am not a robot” to bypass email scanners. In short, they used legitimate security tools to block automated email security scanners. That’s impressive.
And the result? Organizations today are at far greater risk of undetected malicious URLs reaching employees, escalating the risk of malware infections and compromised accounts. Reviewing your email security is not an option.
Strategic Response: Beyond Reputation-Based Security
How can we fight back against trust-based exploitation tactics? Simply put, with solutions that understand intent, adapt in real time, and protect your inbox inside and out.
These solutions exist. AI-driven tools can now discern intent. They pick up the subtle social engineering tactics in email copy that traditional filters can’t.
Now, you might think an advanced email security solution won’t provide adequate ROI. You might think your existing tools are doing enough. But evolving attacker tactics don’t just pose a security risk; they’re eroding trust in your business communications and overloading your security team. Trust is the new perimeter.
And when trust breaks down, what’s left?
Rene is a Lead Malware Research Engineer at VIPRE Security with over 18 years' experience in cybersecurity. A specialist in deep-dive reverse engineering and threat intelligence, he focuses on deconstructing emerging threats to stay ahead of the adversary.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.