The techniques that are beating security-aware organisations in 2025 are not novel — they exploit human psychology more precisely than ever before.
AI-Personalised Spear Phishing
Generic phishing emails are increasingly caught by email security filters. Attackers responded by shifting to hyper-personalised spear phishing — emails that reference the target's specific role, recent LinkedIn activity, known colleagues, and current projects. AI tools have made the research and drafting of these personalised emails fast enough to apply at scale. The distinguishing characteristic is that the email feels like it could only have been written by someone who knows you — which dramatically increases the click-through rate.
Deepfake Audio in Finance and HR Fraud
Business email compromise (BEC) evolved into business voice compromise (BVC). Attackers clone an executive's voice using publicly available audio — conference recordings, YouTube presentations, earnings calls — and call the finance or HR team impersonating the executive. The calls request urgent wire transfers or payroll account changes. Several documented cases in 2025 resulted in six-figure losses before the fraud was detected. The defence is a callback verification protocol for all financial transactions over a defined threshold, using a known verified number — not the number that called you.
MFA Fatigue Attacks
If an attacker has valid credentials, they can trigger repeated MFA push notifications to the user's phone in the hope that the user approves one to make them stop. This 'MFA bombing' or 'push fatigue' attack is surprisingly effective. The defence is to move from push-to-approve MFA to number matching (the user must enter a number shown on the login screen into the MFA app) or FIDO2 hardware keys. Number matching is now the default in Microsoft Authenticator and eliminates push fatigue attacks entirely.
IT Help Desk Social Engineering
One of the most effective attack chains in 2025 targeted IT help desks. Attackers call the help desk impersonating an employee, claim they are locked out, and leverage social pressure to get their credentials reset or MFA bypassed without proper identity verification. The defence is a formal identity verification procedure for credential resets — typically a video call with government ID, a manager confirmation, or an out-of-band verification code sent to the user's manager. If your help desk can reset credentials without a documented verification process, you have a high-severity gap.
- AI-personalised spear phishing is scaling — filters catch generic phishing but miss highly personalised attacks
- Business voice compromise (deepfake audio calls) requires callback verification protocols for all financial transactions
- MFA push fatigue attacks are eliminated by number-matching authenticators or FIDO2 keys — migrate from push-to-approve
- Help desk identity verification procedures are a critical control — credential resets without verified identity are a high-severity gap