Q&A: Proofpoint’s Strategy Director On The Top Email And Identity Risks To Prioritize In 2025

Email remains a cornerstone of business communication—and a prime target for cybercriminals. As threats evolve, tactics like Business Email Compromise (BEC) and QR-code phishing are bypassing defenses, including MFA, forcing organizations to rethink their approach to email security.

Proofpoint’s 2024 State of the Phish report highlights that there has been a sharp rise in MFA bypass attacks, with over 1 million messages sent per month. “Today’s attackers are targeting people, not just systems, using social engineering to manipulate behavior and bypass conventional defenses,” explains Brian Reed, Senior Director of Cybersecurity Strategy at Proofpoint.

Reed was previously an analyst at Gartner, where he covered cloud security, data security, incident response, insider threats, and security awareness, publishing over 50 reports including Market Guides for Digital Forensics and Incident Response Services, Security Awareness Training, and two Magic Quadrants for DLP.

In this Q&A, Reed unpacks the most pressing email security challenges, shares actionable advice for CISOs, and provides his recommendations on what your organization needs to prioritize in 2025 to keep its email ecosystem secure.

Q. What are the biggest challenges for customers in the email security space today and how are threats evolving?

The threat landscape is constantly evolving and creates emerging areas for attackers to exploit. The rise of Business Email Compromise (BEC) over the last few years has been a significant challenge, as these messages must be analysed contextually—security practitioners can no longer rely on a link, attachment, or payload to solely identify the threat. Today’s attackers are targeting humans though social engineering, using lures to get the recipient to take a specific action, such as call a phone number or communicate over another application.

QR code phishing (or quishing) is another rising threat posing challenges for organizations. These attacks involve including malicious QR codes in emails to redirect targets to spoofed or malicious sites. Modern email solutions should ideally block this threat pre-delivery (before arriving at a user’s inbox), as described in this Proofpoint blog post. Also, training users to identify key issues with QR code messages is a critical step of defense-in-depth via QR code phishing simulations.

Q. How does the Proofpoint Essentials platform help to teams address these challenges, and how do you differentiate yourselves from competitors in the email security space?

Proofpoint Essentials relies upon world-class threat research to provide end user organizations with both efficacy and efficiency. Email is a critical application in every organization, and the main vector used by threat actors to wage their attacks, and you must ensure you are not just detecting threats but not impeding the operations of your organization. This must be done with high efficiency, as downtime of email communications can significantly disrupt communication, productivity, operations, and impact your organization’s reputation.

Q. What are your top recommendations for CISOs in the process of looking for an email security solution?

Organizations looking at modern email security platforms should provide compressive email security. This is done through three main points in the email communications flow:

• Pre-delivery – Inspecting and actively preventing threats before they arrive in an end user’s mailbox
• Post-delivery – Inspecting messages after delivery, in order to look for additional threats, such as links activated post-delivery, or advanced BEC threats, or other suspicious and sophisticated fraudulent communications
• Click-time – Inspecting messages at the point a user interacts with the message (click on the link, download the attachment) to provide an additional layer of inspection and potential protection

Q. What trends do you expect to see in the email security space in 2025?

Generative AI is making an impact in the email security space, and I foresee several effects surfacing in 2025. I expect to see Business Email Compromise (BEC) attacks continue to rise over the next year. In a public service announcement released in September 2024, the FBI reported, “between December 2022 and December 2023, there was a 9% increase in identified global exposed losses” due to BEC scams. Proofpoint’s 2024 State of the Phish report found that BEC attacks are rising in non-English speaking countries.

Japan saw a 35% year-over-year increase in BEC attacks, Korea 31%, and the UAE reported a 29% jump. This concerning data shows that attackers are using the technology to create more convincing and personalized phishing emails in multiple languages at scale. Further, as end users and employees become more reliant on AI agents to compose and send emails on their behalf, there may be an increase in the likelihood of mistakes as these agents are new to market.

I also would not be surprised to see a rise in impersonation attacks, specifically messages designed to try to subvert MFA credentials to compromise key accounts like Microsoft 365, identity providers, and other critical SaaS applications with sensitive data like Salesforce, ServiceNow, and cloud storage platforms.

Q. In your view, what should organizations’ top email security planning priorities for 2025 be?

To effectively defend against email attacks, organizations need a multi-layered defense strategy. Attackers are jumping across platforms and channels to infiltrate and move laterally within organizations.

Proofpoint research has found that 80% of attacks start with unauthorized access of privileged user identities. Implementing multi-factor authentication, targeted user awareness training, conducting regular risk assessments and ensuring overall alignment between the board and CISO would be considered a good step forward.

The fact is that today’s cyber-attacks are multi-layered, integrated, and targeting people—not just technology. Thus, if you are only relying on a gateway for pre-delivery protection, or post-delivery API inspection, you need to take a more comprehensive approach than a single point of inspection.

A multi-layered, human-centric approach to protecting people and data should be a priority for all organizations in 2025.

Further Reading

• Learn more about Proofpoint
• Read our guide to the Top Email Security Gateways