Surge in phishing attacks as cybercriminals exploit URLs & QR codes

Proofpoint researchers have reported a substantial surge in phishing and URL-based cyber threats, with increased use of social engineering and artificial intelligence to deceive users.

The company's latest Human Factor 2025 Report series reveals that malicious URLs have overtaken attachments as the primary method of delivering email threats, being used four times more frequently. This reflects cybercriminals' preference for URLs, which are more easily disguised within emails, documents, and even buttons, and are harder to detect by conventional security protocols.

According to the report, ClickFix malware campaigns, which entice users to run harmful code through fake error messages or CAPTCHA screens, have risen by nearly 400% over the past year. The ClickFix technique is designed to exploit an individual's instinct to resolve technical issues quickly, resulting in the unintentional spread of malware variants such as remote access trojans, information-stealing software, and programme loaders.

A significant increase in QR code phishing threats was also observed. In the first half of 2025 alone, Proofpoint identified over 4.2 million such attacks. Attackers use QR codes to direct individuals to deceptive websites via their mobile devices, bypassing conventional enterprise protections. Victims are often unaware they have been redirected to phishing destinations designed to capture sensitive details like credentials and payment card information.

The report highlights credential phishing as the most common objective, revealing 3.7 billion URL-based attacks aimed at stealing login details. Attackers are using tactics that impersonate well-known brands and deploy easily accessible phishing kits such as CoGUI and Darcula. These tools allow even those with limited technical abilities to implement convincing campaigns capable of bypassing multifactor authentication measures and compromising user accounts.

Proofpoint also details an extraordinary 2,534% year-on-year increase in smishing – or SMS phishing – campaigns. Approximately 55% of all analysed SMS-based phishing attempts contained a malicious URL, with many messages disguised as government notices or delivery updates. This approach leverages the trust users place in mobile text messages, marking a shift toward mobile-first targeting by cybercriminal groups.

"Attackers today aren't just breaking into systems. They're walking through the digital front door by tricking people into opening it. From fake error pages to QR codes that look harmless, the sophistication of URL-based threats means anyone can be a target, anywhere. In Asia's fast-paced and connected digital economy, organisations need multilayered, AI-powered defences and continuous user education to stay ahead of these human-centred attacks", said Jennifer Cheng, Director of Cybersecurity Strategy, Asia Pacific and Japan at Proofpoint.

Researchers note that, across delivery channels such as email, SMS, and collaboration platforms, threat actors are focusing on deceiving users rather than breaking through technical defences. The rise in QR code and SMS-based attacks reflects adversaries' efforts to circumvent organisational controls by targeting personal devices that may be less protected.

Cybersecurity strategies are therefore being called into question, with organisations urged to reassess their defences, particularly in the face of tactics that focus on manipulating user behaviour and leveraging AI-generated content to support convincing pretexts.

Proofpoint's findings are based on intelligence from its platform, which monitors active cyber threats and attack methodologies worldwide. The report emphasises the need for organisations to combine advanced technology with ongoing employee training to enhance their resilience against cyber attacks.