Cybersecurity Awareness Month: Staying ahead of evolving phishing threats

As Cybersecurity Awareness Month comes to an end, it’s more crucial than ever to remain alert to cyber threats — especially phishing attacks, which continue to grow in scale and sophistication. Over the past month, we’ve covered foundational topics like password security, the importance of timely software patching, and the benefits of multifactor authentication. We’ve also discussed practical strategies that security professionals and MSPs can use to empower clients, colleagues and end users to safeguard against evolving cyberattacks. In this final article, we turn our attention to the fast-changing landscape of phishing, spotlight the latest emerging tactics and provide actionable advice to help you stay secure throughout the year.

Phishing remains one of the most reliable, profitable and widespread attack methods for cybercriminals. Today’s attackers have expanded their reach beyond email, using text messages, direct messaging apps, social media platforms, and even phone calls to trick users into giving up credentials or installing malware. To stay protected, it's essential to consistently verify the sender and confirm the legitimacy of any communication before clicking on links or opening attachments. If something seems unusual or suspicious, trust your instincts — pause, investigate and double-check before taking action.

Phishing in 2025: New tricks and tools

Recent findings from Barracuda reveal that phishing attacks are growing increasingly targeted, persistent and sophisticated. Here are some key trends and tactics to be aware of in today’s phishing landscape:

• Phishing-as-a-Service (PhaaS) is on the rise, making it remarkably simple for even non-technical criminals to launch highly sophisticated phishing campaigns. Some of these attacks are now advanced enough to bypass MFA and steal authentication codes. Barracuda researchers report that 60% to 70% of the phishing attacks they’ve observed in 2025 have been PhaaS attacks, underscoring the significant threat this trend poses.
• Evasive techniques: Attackers are increasingly using advanced tactics such as embedding ASCII-based QR codes, using Blob URLs and moving phishing content into attachments to evade detection by traditional security filters. These evolving methods make it even more challenging for automated defenses to identify and block malicious activity.
• Abuse of trusted platforms: Phishers are exploiting reputable content creation and publishing sites to host and disguise malicious links, making phishing attempts appear more authentic and harder to detect.
• AI-powered deception: Cybercriminals now leverage artificial intelligence to craft highly convincing, polished phishing emails that are free of obvious errors. With AI, attackers can rapidly adjust their tactics, personalize messages and mimic legitimate communications more effectively than ever, making these scams harder to detect and increasing their success rate.

PhaaS significantly lowers the bar for aspiring cybercriminals by providing ready-made phishing kits and services, complete with customizable templates, automated attack tools and even customer support. These kits are cheap, widely available and frequently updated to evade detection. As a result, sophisticated PhaaS campaigns — such as Tycoon 2FA and EvilProxy — now account for the majority of phishing attacks, targeting individuals, small businesses and large enterprises alike.

How to protect yourself and your organization

1. Stay informed: Follow trusted sources for the latest threat intelligence, and share relevant updates and best practices with your colleagues and teams to ensure everyone is aware of emerging risks.
2. Think before you click: Take a moment before interacting with any message — especially ones urging you to act quickly or requesting sensitive information. Scrutinize links and attachments, and avoid clicking if anything seems off.
3. Verify and report: If something feels suspicious, contact the sender separately through a trusted, official channel — never reply directly to the questionable message. Promptly report all suspected phishing attempts to your IT department or security team.
4. Implement multifactor authentication (MFA): This added layer of security significantly reduces the likelihood of unauthorized account access, even if a users password is compromised.
5. Invest in security training: Use an ongoing training program, such as Barracuda Security Awareness Training, to educate employees on how to recognize and respond to phishing threats. Well-informed users are your strongest line of defense.
6. Deploy multilayered defenses: Utilize advanced tools like Barracuda Email Protection to detect, prevent and respond to sophisticated email threats — including impersonation attempts, malicious attachments and credential harvesting schemes.

Phishing tactics continue to advance, but so do our defenses. The strongest protection relies on a blend of robust technology, ongoing education and fostering a culture of security awareness. As Cybersecurity Awareness Month comes to a close, keep in mind that cybersecurity is a collective effort — every step you take contributes to a safer digital world.