Email Security

5 Phishing Experts Share Their Predictions For 2025

We asked five social engineering experts what phishing trends they expect to see in 2025.

Phishing Predictions 2025 Cover

As phishing tactics become more sophisticated and personalized, they will pose an increasingly significant security threats to organizations worldwide. 

Looking toward 2025, what developments in phishing techniques and defense mechanisms will shape the cybersecurity threat landscape?

We asked five experts for their perspective and predictions:


Mika Aalto, CEO of Hoxhunt: In 2025, I anticipate seeing even more sophisticated phishing attacks powered by advancements in AI. Attackers will use AI agents to tirelessly search for vulnerabilities, open-source intelligence to fuel personalized attacks, text-based AI to mimic human writing styles, and deepfake technology to create more convincing impersonations faster and cheaper than ever before. This will eventually push organizations to adopt more advanced training tools, it’s just a matter of when—before or after a breach.

Another trend will be the integration of human risk analytics into phishing prevention strategies. Organizations can now analyze user behavior patterns and training performance data to pre-emptively identify vulnerable employees and target dynamic interventions. This shift from reactive to proactive phishing protection will be essential as the negative impacts of human-based breaches hit an all-time high. Read the full Q&A.


John Wilson, Senior fellow, threat research at Fortra: I expect we’ll see increased use of personal data obtained from data breaches as part of email scams in 2025. Personal data will not only increase victim compliance but will also enable more intricate impersonation. I also expect to see more cross-channel attacks, like what we’ve seen with QR code phishing and hybrid vishing. Lastly, AI will enable scammers to target victims in any language, without the spelling and grammatical errors that used to be the hallmark of an email scam.

Putting this all together, I can imagine complex, highly personalized scenarios such as a deep-fake voicemail from your boss instructing you to be on the lookout for an email from the Help Desk related to an important security update for your home router. The email might contain your home address as well as a link you should click to install malware disguised as a router update. Read the full Q&A.


Roger Grimes, Data-driven defense evangelist, KnowBe4: Certainly, we expect to see a big increase in attackers using AI-enabled deepfake technologies to perform better scams. On the other hand, we have been using AI for over six years to fight attacker scams, and that will just continue to ramp up in 2025. We see AI actually being a tool that, for the first time, may be more beneficial in the defender’s hands than the attacker’s. Read the full Q&A.


Arnout van de Meulebroucke, CTO, Phished: By 2025, we anticipate an even sharper rise in AI-driven phishing attacks, making them more sophisticated and highly targeted. Mobile devices are likely to become a primary focus for cybercriminals, while Business Email Compromise (BEC) schemes—like those leveraging new 2FA phishing services targeting Microsoft 365 accounts—will remain a serious threat, particularly for larger organizations. As regulatory pressures grow, we also foresee an increased emphasis on phishing prevention and response, especially in industries directly or indirectly impacted by NIS2. Read the full Q&A.


Javvad Malik, Lead security awareness advocate, KnowBe4: In all likelihood phishing attacks will become even more personalized and sophisticated, leveraging artificial intelligence to craft messages that are remarkably convincing. Additionally, the integration of deepfake technology may lead to the emergence of exceptionally believable phishing attempts through counterfeit audio and video elements, making the detection of such frauds increasingly challenging for the untrained eye. Read the full Q&A.


Expert Insights Phishing Resources: