Proofpoint, a leading cybersecurity and compliance company, recently released the second volume of its Human Factor 2025 Report series, which reveals a sharp escalation in phishing and URL-based threats.
Drawing on data from Proofpoint’s threat intelligence platform, the report outlines how cybercriminals are using advanced social engineering and AI-generated content to make malicious URLs increasingly difficult for users to identify.
Whether through email, text messages, or collaboration apps, URL-based threats now dominate the cyber threat landscape. Attackers are not just impersonating trusted brands – they are abusing legitimate services, tricking users with fake error prompts, and bypassing traditional security by embedding threats in QR codes and SMS messages.
Key findings from the report include:
- Malicious URLs are now the preferred delivery mechanism – used four times more than attachments in email threats: Cybercriminals increasingly favour URLs over attachments, as they are easier to disguise and more likely to evade detection. These links are embedded in messages, buttons, and even inside attachments like PDFs or Word documents to entice clicks that initiate credential phishing or malware downloads.
- ClickFix malware campaigns increased nearly 400% year-over-year: ClickFix is a phishing technique that lures users into running malicious code by displaying fake error messages or CAPTCHA screens. By exploiting the urge to resolve a perceived technical issue, this method has quickly become a go-to tactic for malware operators, helping them spread remote access trojans (RATs), infostealers, and loaders.
- Proofpoint identified over 4.2 million QR code phishing threats in the first half of 2025 alone: QR code-based attacks remove users from enterprise protections by leveraging personal mobile devices. Once scanned, these codes redirect users to phishing sites designed to harvest sensitive information such as credentials, credit card data, or personal identifiers, all under the guise of legitimacy.
- Credential phishing remains the most prevalent goal for attackers, with 3.7 billion URL-based attacks aimed at stealing logins: Attackers are overwhelmingly focused on stealing login credentials rather than distributing malware. With phishing lures that impersonate trusted brands and use off-the-shelf tools such as CoGUI and Darcula phish kits, even low-skilled actors can deploy highly convincing campaigns that bypass multifactor authentication and lead to full account takeover.
- Smishing campaigns jumped 2,534% as attackers shift focus to mobile devices: At least 55% of suspected SMS-based phishing messages (smishing) analysed by Proofpoint contained malicious URLs. These often mimic government communications or delivery services and are highly effective due to the immediacy and trust users place in mobile text messages, reflecting a shift toward mobile-first targeting by threat actors.
“The most damaging cyber threats today don’t target machines or systems. They target people. In addition, URL-based phishing threats are no longer confined to the inbox, they can be carried out anywhere and are often extremely difficult for people to identify”, said Matt Cooke, Cybersecurity Strategist at Proofpoint. “From QR codes in emails and fake CAPTCHA pages to mobile-first smishing scams, attackers are weaponising trusted platforms and familiar experiences to exploit human psychology. Defending against these threats requires multilayered, AI-powered detection and a human-centric security strategy.”
To download The Human Factor 2025: Volume 2 – Phishing and URL-Based Threats, visit https://www.proofpoint.com/us/resources/threat-reports/human-factor-url-phishing
