While Security Awareness Training might not seem like a sophisticated defense strategy, it’s remarkably effective. Here are some of the trends we expect to see in 2025.
According to Verizon’s 2025 Data Breach Investigations Report, 60% of data breaches involve a human element.
Over the past year, there has been a decrease in the number of incidents and breaches caused by human error. The most common type of mistake that caused data breaches was mis-delivery, affecting 49% of cases. IBM’s Cost of a Data Breach report found that human error was a root cause for 22% of breaches. Another 23% were caused by IT failures, and the remaining 55% were malicious attacks from internal or external threat actors.
Those are some uncomfortable statistics, especially when we consider how hard it is to prevent something as human as a mistake. It is, however, possible to educate and train your users on cybersecurity dangers so the threat of human error causing a breach is minimized. This education and training is delivered through Security Awareness Training (SAT).
With an SAT program, it is important that the topics and modules are relevant and comprehensive. These modules are like “cybersecurity classes” that contain informative and engaging content on specific cybersecurity cases, scenarios, and threats. Nearly every SAT vendor will offer the same broad range of topics, with more niche areas being focused on by specific vendors.
What Is Security Awareness Training?
Most SAT programs will include specialized and basic training topics, phishing simulations, and reporting capabilities to track user progression. Taken together, these facets are more than a sum of their parts.
Training usually begins with short modules comprised of video clips and case studies. These will highlight how to spot a threat, and what to do about it. Once the training is completed, the data can be fed back to the admin through the reporting function. Then, the user will have to respond to a phishing simulation to test how much of the content they have understood. Anyone who fails the training may be required to complete further modules or face additional simulated threats.
It’s worth checking that the vendor you’re looking at provides phishing simulations with the training as not all vendors do. Having separate simulation tools can add extra expenses and be less cohesive than solutions that provide training and simulation within one product.
Do I Need Security Awareness Training?
The short answer is yes. It doesn’t matter if you’re in a tech company and “should know better”, as everyone is capable of human error. Unfortunately, not everyone is as internet-savvy as they should be, and this lack of knowledge can be highly damaging for your business.
In many cases, the last thing standing between your organization and a breach, is an end user who must decide whether to downloading a potentially harmful file or report it. It could be that they are poised to share data with a “colleague” who is, in fact, a malicious actor. In these instances, you want to ensure that your employees are as well trained as they can be. The way to ensure this is with SAT.
Beyond the obvious cyber security benefits, SAT is a requirement of HIPAA, PCI-DSS, and GDPR frameworks. Having an effective SAT solution will ensure your organization is compliant, as well as safe.
Security Awareness Training Trends for 2025
In this section, we’ll consider some of the topics and trends that we expect to see in 2025. Some of these are new and emerging areas, whilst others are pre-existing, but likely to become even more significant.
Phishing Attacks
While we’ve all heard about the dangers of phishing attacks, there is no chance that they’ll disappear in 2025. It is worth reminding ourselves of how important it is to train your users on the dangers of phishing attacks, and how to best prevent them from causing damage. For the 2nd year in a row, phishing and stolen or compromised credentials were the two most prevalent attack vectors. Both also ranked among the top four costliest incident types. The average remediation cost of a phishing attack in 2024 was $4.88 million. (IBM, see figure 7)
Read next: The Top 10 Phishing Simulation Solutions.
Anyone who has had an email account in the past decade will be aware of the dangers of phishing emails – years of warnings, training, and reminders have turned phishing into a hot topic.
This effective messaging has, in turn, forced threat actors to get creative and develop new, unusual ways of tricking users to grant access or give up critical information.
Two novel phishing attacks that we expect to see more of in 2025 are vishing and smishing.
Voice Phishing Or Vishing
Vishing refers to the practice of making fraudulent phone calls to individuals, by claiming to be a trusted party, with the intention of the recipient verbally giving over sensitive information or data. So far, this threat has predominantly focused on attacking private individuals rather than companies – that doesn’t mean this will always be the case though.
When it comes to personal vishing attacks, threat actors often trick people into handing over their bank or credit and debit card information for financial gain. As with all phishing attacks, the threat actor will pose as a trusted figure from a reputable company to make the request for information seem realistic.
While vishing attempts in the business world are rare, it can and does happen. It can be particularly easy to impersonate a more senior person within a company such as a C-level executive. In large organizations, many employees may have never met the executive team, but wouldn’t think twice about following and instruction purportedly sent from them. There is often enough information to make this impersonation plausible through social media sites like LinkedIn and Facebook. With company information on the website, attackers can easily weave a credible and believable story to target specific end-users with certain levels of clearance and privilege.
SMS Phishing Or Smishing
Smishing is the art of sending fraudulent text messages to intended victims, again posing as a trusted figure or representative. Again, this is often done with the intent of stealing financial details or other sensitive information.
One of the current smishing attacks involves the attacker pretending to be a family member texting off a different phone, telling the recipient that they’ve broken theirs and are waiting for a replacement. In the meantime, they need some money to help with a bill or another expense. This is often done with a sense of time pressure and urgency – this encourages the recipient to act without thinking.
Smishing attacks often target lone individuals, rather than specific companies, but that doesn’t mean this will always be the case. Staff can be busy and do not always have the time or mental bandwidth to check if the message is genuine. This could lead to them clicking on a harmful link or sending over sensitive information. If your organization uses cell phones heavily, or has remote employees, this type of attack could pose a significant risk.
While email phishing predates vishing and smishing attacks in terms of popularity, vishing and smishing attacks are fast catching up in terms of prevalence in both frequency and severity. With smartphones being commonplace – with the same device often being used for both work and personal – attackers have begun to favor smishing as a low effort, high reward attack.
According to IBM, GenAI may be playing a role in creating some of these phishing attacks. For example, GenAI makes it easier than ever for even non-English speakers to produce grammatically correct and plausible phishing messages. While organizations are moving quickly ahead with GenAI, only 24% of gen AI initiatives are being secured.
So, what does this mean for SAT? It means that training needs to stay ahead of the curve and educate users about new and emerging threats. With an ever-changing threat landscape, it’s important that your SAT program include vishing and smishing content, whilst encouraging users to be cautious.
Business Email Compromise
While it may feel as though Business Email Compromise (BEC) goes hand in hand with phishing (they are sometimes used interchangeably) it is worth making the distinction between the two and stressing the importance in having separate training modules that address each in finer detail.
One of the key differentiators between phishing and BEC is the level of detail and complexity. Phishing generally involves little effort. Attackers send out mass amounts of emails (or calls or SMS) at once, with the assumption that someone, somewhere will fall for it. BEC, on the other hand, takes this a step further.
BEC is (usually) an email scam where an attacker will target a specific individual within a specific business. Again, the intention is to defraud for financial gain or steal data and information for further exploitation. Threat actors going the BEC route will create fake accounts and email addresses (sometimes even websites) in order to make the attack as credible as possible. The attacker may even have a realistic LinkedIn page in case a potential victim wants to make a quick check.
Real time and effort will go into ensuring that BEC attacks are as realistic as possible. These attacks can be highly sophisticated, with some threat actors even going as far as to use deepfake technology in order to trick unsuspecting users.
VIPRE’s latest Email ThreatTrends report found that BEC accounted for 37% of all email scam attacks in Q1 of 2025. Impersonation remained the number one method of BEC attack, beating other vectors like Diversion, Email Hijacking, and Account Takeover.
In Q2 of 2024, 40% of BEC emails seen by VIPRE were AI-generated. It is predicted that the use of AI for automating and personalizing phishing attempts will remain a concern throughout 2025.
Another variation of the attack is Email Account Compromise (EAC), which is sometimes referred to as email account takeover. This can be insidious and a difficult attack to spot. EAC is where an attacker exploits a valid email account to give the seal of authenticity. Once they have gained access, the attacker will target other individuals within the company, posing as the colleague, until they have the money, data, or information they want.
Both BEC and EAC can be incredibly difficult to spot and, due to their sophistication, not every email security tool is adept at finding and filtering these emails out. As such, BEC and EAC will continue to be important trends as we move further on into 2024.
Remote Working
A certain global pandemic forced organizations to reconsider how they operate. In 2020 we saw the rise of remote working, with some organizations and employees still opting for a remote or hybrid practice.
Some organizations have seen financial benefits in giving up rented offices and decided to pay a “home working stipend” instead. Even though we’re a year further on from the pandemic, we’re not back where we started.
It’s easy for standards and security to slip when you have a hybrid, flexible, or entirely remote workforce. It’s even harder to maintain security if you also factor BYOD (Bring Your Own Device) into the mix. All your users, wherever they choose to work from, should understand the dangers that can present themselves while working remotely and how to appropriately address the issue as and when it occurs.
One of the main reasons why remote and hybrid users are so vulnerable is that they don’t have the support system or knowledge base that an office environment can bring. For example, if a user receives a potential phishing email that they’re not sure about, it is much easier to ask for advice in an office. Yes, it’s very easy to send a message via Teams to ask for a second opinion, it is also easy to downplay your worries and be less likely to reach out.
This physical distance between employee and workplace can allow attackers to get in between. All it takes is for an employee to throw caution to the wind, click on a risky link, and expose your whole organization. Ensuring that your staff are trained on cybersecurity threats, and knowledgeable on how to maintain security from wherever they work will continue to remain relevant into 2024 and beyond.
Removable Media
It is important for any SAT program to highlight the dangers and risks of storing data. With the widespread adoption of the cloud, data storage security has been at the fore of our minds, but some SAT vendors overlook the amount of data stored on removable media. Removable media refers to physical storage devices such as USBs, external hard drives, and even CDs.
Removable media is an important topic to include because not everyone considers the potential dangers and can get caught up with a focus on securing your company’s virtual perimeter, rather than the physical one. There are two main risks to consider with removable media: the threat of having data on removable media physically stolen or having a piece of removable media infected with malware or ransomware planted within the office, biding its time.
Users must take care when storing removable media devices to prevent them from being stolen. Their size makes them easy to lose or steal. We often don’t consider something like a USB as significant object, making it easy to overlook the significance of the data that is stored on it.
Employees should know your organization’s removable media policy, with their usage being controlled and monitored. Users who work remotely should be aware of how to protect their company-mandated or personal services used for work while out and about and at home. Removable media should be kept safe in cafes, coworking spaces, and even users’ home offices.
With removable media being so easily accessible, users often know how to keep it safe, but need to be reminded of its significance. In 2025, Expel reported that 10.5% of attacks on endpoints used removable media as an attack vector. The most common endpoint attack type, reported in 65% of cases, was drive-by downloads. This is a technique that leverages infected or attacker-controlled websites to trick a user into downloading and executing a malicious file.
Passwords
Despite the previously mentioned methods of having your accounts accessed, instances of stolen passwords are still the number one cause for a breach. About 81% of all hacking-instigated breaches were possible because of stolen passwords. The most common attack vector for intentional breaches was credential abuse, being seen in 22% of cases (Verizon, see figure 5). Attacks that used stolen or compromised credentials had the longest response time on average at 292 days (IBM, see figure 8).
Research from Surfshark found that in Q4 of 2024, 527 accounts were leaked every minutes, and 9.7 billion personal accounts worldwide have been breached since the beginning of 2020.
It’s safe to say that passwords, despite being our go-to method for authentication, aren’t that secure–or at the very least aren’t being kept secure. With passwords continuing to be a huge problem for organizations to manage and the golden ticket for threat actors, instilling good password hygiene is an imperative as we go through 2025. There will still be password breaches, but making sure your users know how to create effective passwords, how to use them securely, and how to store them, is the first step in protecting your passwords.
Passwordless Authentication
While passwords have been around for a while, passwordless authentication is really starting to take off. SAT should cover other methods of authentication such as additional factor authentication or the entire removal of passwords. Many companies and consumers are looking for ways to replace passwords thereby making their life easier, whilst maintaining their security. One of the ways of achieving this is passwordless authentication–total authentication just without the passwords.
In 2022, Microsoft, Apple, and Google all announced their plans to move towards a common passwordless sign-in approach that would be accepted as standard, supported by the World Wide Web Consortium and FIDO Alliance. The intention was to have a passwordless approach supported across mobile, desktop and browsers.
A 2025 study from Cybernews reviewing over 19 billion exposed passwords found that 94% of passwords are reused or duplicated. These passwords are a hot commodity on the dark web where they’re often available for purchase in bulk. Multi-factor and two-factor authentication aren’t new solutions, but they are becoming more widely adopted as companies eagerly look away from passwords to more secure forms of authentication.
It’s exciting stuff for the tech world, with many untold benefits not just to do with security but enhancing the user experience as well. We’re sure to see MFA and passwordless authentication become more of a hot topic in SAT programs as users need to learn best practices when managing their accounts.
Cloud Security
If it feels like everyone is migrating to the cloud these days, it’s because they are. Moving to the cloud provides a lot of benefits – users can work from anywhere, easily access data, and have a streamlined workflow. There are, however, a number of security risks associated with the cloud.
As your entire security stack, your data, and everything you use to work is stored on the cloud – it is a critical piece of infrastructure that attackers might target. While there is shared responsibility between the cloud provider and the customer, organizations need to take extra care on their side to ensure that security is kept tight in the cloud at all times. This responsibility will also extend to your users, and you should ensure that best practices and behavior is maintained at all times.
As more and more companies migrate to the cloud, it is important to make sure users know what this means and how they can work safely in the cloud. SAT programmes should make users aware of the risks, while explaining how to make best use of the cloud’s benefits.
Social Media Scams
Long gone are the days of email being the only attack vector. As the number of communication channels increase and diversify, cyber attackers will develop new tactics and attack types. One of the emerging attack vectors is social media.
Barracuda has observed social media platforms such as Facebook, Instagram, X, and LinkedIn being used to carry out phishing attacks. This problem is further exacerbated by GenAI, which makes it easy to either create a convincing deepfake profile or impersonate someone trusted. With fake and parody accounts easily made, it opens up a whole new avenue for threat actors to create successful phishing, BEC, and deepfake attacks against intended targets. Attackers may use multiple tactics in conjunction to increase their chances of success.
You can expect SAT vendors to incorporate social media scams into their content, with a focus on how users should approach with caution when managing work and personal social media accounts.
Summary
As tech and security solutions adapt and advance throughout 2025, you can be sure that threat actors won’t be far behind. As technology becomes more advanced, it can be harder for your users to spot threats, so they need to be trained as best as possible. In the case of deepfakes, with advanced AI it’s getting harder and harder for end-users to be able to tell the difference between real content and fraudulent material.
iProov’s 2025 global study found that when asked to discern AI-generated videos and images from real ones, only 0.1% of participants correctly identified all the deepfakes. Despite their poor performance, people remained overly confident in their deepfake detection skills at over 60%, regardless of whether their answers were correct. Social media platforms are seen as breeding grounds for deepfakes with Meta (49%) and TikTok (47%) seen as the most prevalent locations for deepfakes to be found online. 49% of participants reported trusting social media less after learning about deepfakes.
And it’s not just advancing AI, users are still regularly falling for phishing and WhatsApp scams, which are becoming more targeted and more specific. With old attacks continuing to work, and new threats emerging, the number of ways you can be attacked is only increasing.
Having a strong SAT programme in place is an effective and relatively simple solution to improve your organization’s security awareness. It is critical in safeguarding your users as best as possible against many forms of attacks, with your users often being the last line of defense.
Good SAT solutions will include a wide range of important and broad topics to educate your users. The very best solutions will be continually adding addition content to as the threat landscape changes and adapts.
With that in mind, we’ve compiled a list of the best SAT solutions currently on the market for you to consider:
