Top five email threats of 2025

Ever wonder what’s lurking in your employee’s inboxes? You’re right to be on the defensive. In 2025, email isn't just a communication tool; it's a battleground where cybercriminals are constantly launching new and cunning attacks. We’ve exploring the top five email threats that organizations globally are facing right now, helping you understand how to navigate evolving risks before they surpass your organization’s email defences.  

Drawing insights from general cybersecurity reports and the types of incidents frequently highlighted by data protection authorities and security agencies, let's explore the top five email attacks making headlines (or nearly making them).

1. Sophisticated spear phishing campaigns

What is spear phishing? Spear phishing, a highly targeted form of phishing, remains a top email threat. Unlike broad phishing attacks, spear phishing emails are meticulously crafted to appear legitimate, often impersonating known colleagues, executives, or trusted vendors. Attackers conduct extensive research on their targets, making these emails incredibly convincing.

Spear phishing example: In May 2025, a spear-phishing cyberattack targeted the Edinburgh education department, disrupting access to vital online exam revision resources for over 2,500 students. Staff received a suspicious email (later identified as spear phishing), leading to emergency password resets. Fortunately, no data breaches occurred, and the council coordinated with Police Scotland, the government, and cybersecurity agencies to safeguard systems.

2. Business Email Compromise (BEC) scams

What is Business Email Compromise? Business Email Compromise (BEC) continues to be one of the most financially damaging email threats. These scams involve attackers impersonating a high-ranking executive or a trusted business partner to trick employees into making wire transfers or divulging confidential information. BEC attacks often leverage social engineering and don't necessarily involve malware, making them difficult to detect with traditional security tools. 

Business Email Compromise example: In early 2025, a large manufacturing company in the Midwest, USA, narrowly avoided a significant financial loss due to a BEC attempt. An attacker, posing as a long-term overseas supplier, sent an email to the accounts payable department requesting an urgent change in bank details for upcoming payments. The email was sent from a look-alike domain, making it appear authentic. Fortunately, the company's robust internal verification process, which requires verbal confirmation for any payment detail changes, thwarted the attack.  

3. Malware and ransomware delivery via email

What is malware/ransomware? Email remains a primary vector for delivering malware and ransomware. Attackers use various techniques, from malicious attachments (e.g., seemingly harmless PDFs, Word documents with macros) to embedded links leading to compromised websites that automatically download malicious payloads. 

Malware example: In April 2025, British retailer Marks & Spencer experienced a major cyberattack, later confirmed as a ransomware incident. The breach disrupted store operations, forced the shutdown of contactless and Click and Collect services, and halted online orders.

4. Credential harvesting

What is credential harvesting? Credential harvesting attacks aim to steal login credentials by tricking users into entering them on fake login pages. These pages are often replicas of legitimate services like Microsoft 365, Google Workspace, or popular cloud platforms. Once credentials are stolen, attackers can gain unauthorized access to corporate networks, sensitive data, and further propagate attacks. 

Credential harvesting example: In October 2023, genetic testing company 23andMe suffered a significant data breach due to credential stuffing attacks. Approximately 14,000 user accounts were initially compromised, but the breach expanded to expose sensitive personal and genetic data of approximately 5.5 million users. The attack exploited reused usernames and passwords from previous data leaks  

5. Email and domain spoofing and impersonation

What is email spoofing? Email spoofing involves forging the email header to make the message appear as if it originated from someone else. This is often used in conjunction with other attacks, such as BEC or phishing, to lend credibility to the fraudulent message. Impersonation can also involve creating email addresses that are very similar to legitimate ones (e.g., support@company.com vs. suport@company.com).

What is domain spoofing? Domain spoofing is a type of cyberattack where a malicious actor forges an email address or website to make it appear as if it's coming from a legitimate, trusted domain—often that of a well-known brand or organization. The goal is to deceive recipients into trusting the message, which may be used to steal credentials, spread malware, or commit fraud. This technique is commonly used in phishing and business email compromise (BEC) attacks and is especially dangerous because it exploits brand reputation and user trust. 

Spoofing example: In 2025, federal authorities investigated a sophisticated impersonation scheme involving someone posing as White House Chief of Staff Susie Wiles. The unknown individual contacted prominent Republicans, business leaders, and public officials through texts and calls, imitating Wiles using what officials suspect is artificial intelligence to replicate her voice. The impersonator reportedly gained access to Wiles's personal phone contacts. 

How to prevent email threats 

So how can organizations protect their people from falling foul to dynamic email threats? The fact is, IT leaders can no longer rely on employees to spot sophisticated threats – most are indecipherable to the human eye. 

While awareness is important, the solution lies in a multi-layered defence strategy to mitigate risks. This includes: 

• Advanced email filtering: Utilizing AI-powered solutions to detect and block malicious emails. 

• Employee training: Regularly educating staff on how to identify and report suspicious emails,  as well as sharing policies and procedures around data sharing and security. 

• Multi-factor authentication (MFA): Implementing MFA for all accounts to prevent unauthorized access even if credentials are stolen. 

• Incident response plan: Having a clear plan in place for when an email security incident occurs. 

• Technical Controls: Implementing DMARC, SPF, and DKIM to prevent email and domain spoofing. 

FAQ: Understanding email security threats and terms 

Threats are evolving and so is the language used to describe them.  

Here’s our email threat index to keep you up to date on the definitions and related terms on the email threat landscape: 

• Phishing: A general term for fraudulent attempts to obtain sensitive information (like usernames, passwords, and credit card details) by disguising as a trustworthy entity in an electronic communication, most commonly email. 

• Spear Phishing: A highly targeted phishing attack where the attacker researches the victim to create a personalized and convincing email, often impersonating someone the victim knows or trusts. 

• Whaling: A type of spear phishing attack specifically targeting high-profile individuals within an organization, such as CEOs or CFOs, due to the significant financial or data access they possess. 

• Business Email Compromise (BEC): A scam that targets businesses working with foreign suppliers and businesses that regularly perform wire transfer payments. The scam typically involves a criminal impersonating a high-ranking executive or a trusted vendor to trick an employee into transferring funds or sensitive data. 

• Malware: Short for "malicious software," it's any software intentionally designed to cause damage to a computer, server, client, or computer network. Examples include viruses, worms, Trojans, spyware, and ransomware. 

• Ransomware: A type of malware that encrypts a victim's files, demanding a ransom payment (usually in cryptocurrency) in exchange for the decryption key. 

• Credential Harvesting: The act of collecting login credentials (usernames and passwords) from users, typically through phishing attacks that direct victims to fake login pages. 

• Email Spoofing: The creation of email messages with a forged sender address, often to make the message appear as if it originated from a legitimate source. 

• Domain Spoofing: A specific type of email spoofing where the sender's domain name is forged to appear as a legitimate domain. 

• DMARC (Domain-based Message Authentication, Reporting, and Conformance): An email authentication protocol that uses SPF and DKIM to determine the authenticity of an email message and provides instructions on how to handle emails that fail authentication. 

• SPF (Sender Policy Framework): An email authentication method designed to detect forging sender addresses during email delivery. It allows the owner of a domain to specify which mail servers are authorized to send email from that domain. 

• DKIM (DomainKeys Identified Mail): An email authentication method that allows an organization to take responsibility for a message in a way that can be validated by email recipients. It uses cryptographic authentication to verify the sender. 

• Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction. Examples include a password plus a code from an authenticator app.