2025 Cyberattack Forecast: Top Email Threats to Watch for

Few issues are as far-reaching as cybersecurity. Every business, from sole proprietors to global conglomerates, faces cyberattack risks, with threat actors targeting industries across both niche markets and essential sectors.

While cybercriminals can (and do) infiltrate organizations by exploiting software vulnerabilities and launching brute force attacks, the most direct—and often the most effective—route is via the inbox. As the front door of an enterprise and the gateway upon which employees rely to do their jobs, the inbox represents an ideal access point for attackers. And it seems that, unfortunately, cybercriminals aren’t lacking when it comes to identifying new ways to sneak in.

In this article, we’ll discuss some of the sophisticated threats we anticipate escalating in the coming year and share real-world examples of attacks Abnormal customers received in 2024.

Cryptocurrency was initially developed to be more secure than traditional money, utilizing blockchain technology to enable decentralization and immutable transactions. However, these same qualities can facilitate fraud, as the lack of centralized oversight and the speed of irreversible transactions provide considerable opportunities for exploitation. Additionally, its novelty and esoteric nature make it attractive to less financially experienced individuals drawn to its perceived potential, while also posing challenges for even the most financially savvy to fully understand. Combined, these characteristics have made cryptocurrency a popular theme for cyberattacks.

Cryptocurrency fraud has certainly not shown any signs of slowing. And with an incoming administration that has generally been more supportive of cryptocurrency and the value of Bitcoin surging as we near the end of the year, we anticipate the volume and sophistication of these threats to continue growing throughout 2025.

Real-World Example of Cryptocurrency Fraud

Receiving a request to provide your mother’s maiden name or the name of your first pet would instantly raise red flags for the average individual. We all recognize these details as the answers to standard security questions and know not to share them. But a recovery phrase of 12-24 words is a much less common authentication mechanism, which means being asked to supply this information wouldn’t necessarily set off the same alarm bells. This is what the threat actor in this attack example is banking on.

Posing as Ledger, a provider of digital asset security solutions, the attacker claims that several popular cryptocurrency networks are undergoing maintenance. To re-enable the target’s access to these networks, they must use the provided link to update their account; otherwise, they risk losing their assets. Should the recipient click on the link, they are redirected to a page with a prompt to input their recovery phrase.

If they enter the recovery phrase for their digital asset wallet and click “Continue,” the page simply redirects to a real page on Ledger’s website. This is likely intended to make the target believe that they have completed the requested update successfully. However, what they don’t know is that they have handed their recovery phrase directly to the attacker. Using any compatible wallet software, the threat actor can input the recovery phrase to derive the wallet’s private keys and restore access to the wallet’s funds.

A file-sharing phishing attack is a unique type of phishing threat in which a threat actor exploits a legitimate file-hosting or e-signature solution to deceive targets. Because popular solutions like Dropbox, ShareFile, and Docusign offer either free registration or no-charge trials, and are API-enabled, any individual (including cybercriminals) can create and send emails at scale via the platform.

Consequently, bad actors can craft and dispatch malicious messages that are essentially identical to a normal, genuine notification because the sender’s address, email body, and embedded link are all legitimate. This also means that, unlike the vast majority of phishing attacks, the malicious link isn’t contained within the email. It exists within a separate document hosted on a genuine file-hosting service, and it’s only after the target leaves the email environment and engages with the shared file that they’re exposed to the phishing link.

Real-World Example of File-Sharing Phishing

The example below illustrates how a threat actor can launch a file-sharing attack exclusively using legitimate platforms and still accomplish their goal of stealing login credentials.

First, the attacker creates and shares a Google Doc with faculty members at a public high school. As in most file-sharing phishing attacks, the document’s name is related to a topic designed to pique the recipients’ interest—in this case, a payroll update.

The Google Doc, which features the latest Microsoft 365 branding to increase the appearance of legitimacy, informs the recipients that the document linked within the file should be used to verify an update in their compensation.

Clicking on “REVIEW DOCUMENT” redirects the targets to a login screen hosted on scripts.google.com, the domain for Google Apps Script, a cloud-based JavaScript platform that enables users to integrate with Google services and develop web applications.

To enhance the ruse, the attacker cleverly uses a stock photo of children in a classroom as the background, reinforcing the idea that the login portal is meant for educators. However, any information entered into the page will be stolen by the cybercriminal and used to launch additional attacks.

Business email compromise (BEC) attacks leverage social engineering to deceive recipients into divulging sensitive information or completing fraudulent financial requests. Threat actors impersonate trusted partners or authority figures, allowing them to capitalize on the implicit trust within the relationship.

BEC had already established itself as a leading cyber threat, but the emergence of AI has complicated matters. By analyzing vast volumes of data from social media, online activity, and past interactions, AI-powered platforms can generate hyper-personalized messages that convincingly mimic the writing style of the impersonated individual. This makes the emails more difficult for traditional security measures to detect and more likely to deceive unsuspecting recipients. And while legitimate tools like ChatGPT have built-in measures to prevent malicious use, these can be circumvented. Plus, malicious versions like FraudGPT are designed specifically for criminal use, empowering even novice threat actors to up-level their attacks.

Real-World Example of Business Email Compromise

Much like traditional BEC, vendor email compromise (VEC) involves the exploitation of a trusted identity. In these attacks, however, the person being impersonated is an external third party rather than an internal employee.

Both BEC and VEC attacks can involve spoofing sender addresses or using look-alike domains to deceive employees into believing the sender is who they claim to be. But the especially nefarious (and difficult to detect) attacks utilize the actual account of the individual being impersonated, as is the case with this example.

After compromising the account of the Director of Business Development at a renewable energy manufacturer, the attacker hijacks an existing thread discussing a purchase order and invoice for battery parts. Likely utilizing generative AI, the cybercriminal drafts an email requesting confirmation that an attached invoice with updated banking information has been received and that future payments will be sent to the new account.

Thanks to GenAI, the email has no misspellings and uses acceptable grammar, punctuation, and syntax. And because it was sent from the director’s real account, the recipients have no reason to believe the request is fraudulent. Should the targeted accounts payable team transfer funds to the account listed on the doctored invoice, they would wire more than $230,000 directly to the attacker.

Research reports and stakeholder surveys are increasingly drawing the same conclusion: employees remain the most vulnerable part of an organization’s cybersecurity posture. While security awareness training is a critical component of a comprehensive defense strategy, the most effective way to protect your employees from ever-more complex attacks is to prevent malicious emails from reaching them in the first place.

There is little denying that email threats will continue to increase in both volume and severity. However, these attacks can be effectively neutralized with the right solution—one that leverages AI to analyze identity, context, and content and build behavioral baselines for every identity in your cloud environment. By understanding an organization’s unique patterns of communication, a robust email security platform can identify and block anomalous messages before they become a threat.

With the right technology in place, you can be confident that your employees are protected from all types of attacks—even those that have yet to be observed.

For even more insights into the emerging threat landscape and predictions for where it’s headed, download our white paper, Inbox Under Siege: 5 Email Attacks You Need to Know for 2025.