{"id":1222,"date":"2026-02-11T10:06:08","date_gmt":"2026-02-11T10:06:08","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/"},"modified":"2026-02-11T10:06:08","modified_gmt":"2026-02-11T10:06:08","slug":"spam-and-phishing-in-2025","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/","title":{"rendered":"Spam and phishing in 2025"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<h2 id=\"the-year-in-figures\">The year in figures<\/h2>\n<ul>\n<li>99% of all emails sent worldwide and 43.27% of all emails sent in the Russian web segment were spam<\/li>\n<li>50% of all spam emails were sent from Russia<\/li>\n<li>Kaspersky Mail Anti-Virus blocked 144,722,674 malicious email attachments<\/li>\n<li>Our Anti-Phishing system thwarted 554,002,207 attempts to follow phishing links<\/li>\n<\/ul>\n<h2 id=\"phishing-and-scams-in-2025\">Phishing and scams in 2025<\/h2>\n<h3 id=\"entertainment-themed-phishing-attacks-and-scams\">Entertainment-themed phishing attacks and scams<\/h3>\n<p>In 2025, online streaming services remained a primary theme for phishing sites within the entertainment sector, typically by offering early access to major premieres ahead of their official release dates. Alongside these, there was a notable increase in phishing pages mimicking ticket aggregation platforms for live events. Cybercriminals lured users with offers of free tickets to see popular artists on pages that mirrored the branding of major ticket distributors. To participate in these \u201cpromotions\u201d, victims were required to pay a nominal processing or ticket-shipping fee. Naturally, after paying the fee, the users never received any tickets.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165246\/report-20251.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter size-full wp-image-118788\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165246\/report-20251.png\" alt=\"\" width=\"840\" height=\"762\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165246\/report-20251.png 840w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165246\/report-20251-300x272.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165246\/report-20251-768x697.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165246\/report-20251-386x350.png 386w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165246\/report-20251-740x671.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165246\/report-20251-309x280.png 309w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165246\/report-20251-800x726.png 800w\" sizes=\"(max-width: 840px) 100vw, 840px\"><\/a><\/p>\n<p>In addition to concert-themed bait, other music-related scams gained significant traction. Users were directed to phishing pages and prompted to \u201cvote for their favorite artist\u201d, a common activity within fan communities. To bolster credibility, the scammers leveraged the branding of major companies like Google and Spotify. This specific scheme was designed to harvest credentials for multiple platforms simultaneously, as users were required to sign in with their Facebook, Instagram, or email credentials to participate.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165341\/report-20252.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118789\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165341\/report-20252.png\" alt=\"\" width=\"924\" height=\"618\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165341\/report-20252.png 924w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165341\/report-20252-300x201.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165341\/report-20252-768x514.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165341\/report-20252-523x350.png 523w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165341\/report-20252-740x495.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165341\/report-20252-419x280.png 419w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165341\/report-20252-800x535.png 800w\" sizes=\"auto, (max-width: 924px) 100vw, 924px\"><\/a><\/p>\n<p>As a pretext for harvesting Spotify credentials, attackers offered users a way to migrate their playlists to YouTube. To complete the transfer, victims were to just enter their Spotify credentials.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165412\/report-20253.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118790\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165412\/report-20253.png\" alt=\"\" width=\"1043\" height=\"549\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165412\/report-20253.png 1043w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165412\/report-20253-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165412\/report-20253-1024x539.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165412\/report-20253-768x404.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165412\/report-20253-665x350.png 665w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165412\/report-20253-740x390.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165412\/report-20253-532x280.png 532w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165412\/report-20253-800x421.png 800w\" sizes=\"auto, (max-width: 1043px) 100vw, 1043px\"><\/a><\/p>\n<p>Beyond standard phishing, threat actors leveraged Spotify\u2019s popularity for scams. In Brazil, scammers promoted a scheme where users were purportedly paid to listen to and rate songs.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165446\/report-20254-1_04-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118791\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165446\/report-20254-1_04-2.png\" alt=\"\" width=\"1120\" height=\"1418\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165446\/report-20254-1_04-2.png 1120w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165446\/report-20254-1_04-2-237x300.png 237w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165446\/report-20254-1_04-2-809x1024.png 809w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165446\/report-20254-1_04-2-768x972.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165446\/report-20254-1_04-2-276x350.png 276w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165446\/report-20254-1_04-2-740x937.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165446\/report-20254-1_04-2-221x280.png 221w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165446\/report-20254-1_04-2-711x900.png 711w\" sizes=\"auto, (max-width: 1120px) 100vw, 1120px\"><\/a><\/p>\n<p>To \u201cwithdraw\u201d their earnings, users were required to provide their identification number for PIX, Brazil\u2019s instant payment system.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165515\/report-20255.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118792\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165515\/report-20255.png\" alt=\"\" width=\"1099\" height=\"833\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165515\/report-20255.png 1099w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165515\/report-20255-300x227.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165515\/report-20255-1024x776.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165515\/report-20255-768x582.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165515\/report-20255-462x350.png 462w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165515\/report-20255-740x561.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165515\/report-20255-369x280.png 369w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165515\/report-20255-800x606.png 800w\" sizes=\"auto, (max-width: 1099px) 100vw, 1099px\"><\/a><\/p>\n<p>Users were then prompted to verify their identity. To do so, the victim was required to make a small, one-time \u201cverification payment\u201d, an amount significantly lower than the potential earnings.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118793\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256.png\" alt=\"\" width=\"1112\" height=\"833\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256.png 1112w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256-300x225.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256-1024x767.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256-768x575.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256-200x150.png 200w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256-467x350.png 467w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256-740x554.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256-374x280.png 374w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165555\/report-20256-800x599.png 800w\" sizes=\"auto, (max-width: 1112px) 100vw, 1112px\"><\/a><\/p>\n<p>The form for submitting this \u201cverification payment\u201d was designed to appear highly authentic, even requesting various pieces of personal data. It is highly probable that this data was collected for use in subsequent attacks.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165626\/report-20257-1_07-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118794\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165626\/report-20257-1_07-2.png\" alt=\"\" width=\"1410\" height=\"820\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165626\/report-20257-1_07-2.png 1410w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165626\/report-20257-1_07-2-300x174.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165626\/report-20257-1_07-2-1024x596.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165626\/report-20257-1_07-2-768x447.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165626\/report-20257-1_07-2-602x350.png 602w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165626\/report-20257-1_07-2-740x430.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165626\/report-20257-1_07-2-481x280.png 481w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165626\/report-20257-1_07-2-800x465.png 800w\" sizes=\"auto, (max-width: 1410px) 100vw, 1410px\"><\/a><\/p>\n<p>In another variation, users were invited to participate in a survey in exchange for a $1000 gift card. However, in a move typical of a scam, the victim was required to pay a small processing or shipping fee to claim the prize. Once the funds were transferred, the attackers vanished, and the website was taken offline.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165703\/report-20258.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118795\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165703\/report-20258.png\" alt=\"\" width=\"1391\" height=\"1199\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165703\/report-20258.png 1391w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165703\/report-20258-300x259.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165703\/report-20258-1024x883.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165703\/report-20258-768x662.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165703\/report-20258-406x350.png 406w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165703\/report-20258-740x638.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165703\/report-20258-325x280.png 325w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165703\/report-20258-800x690.png 800w\" sizes=\"auto, (max-width: 1391px) 100vw, 1391px\"><\/a><\/p>\n<p>Even deciding to go to an art venue with a girl from a dating site could result in financial loss. In this scenario, the \u201cdate\u201d would suggest an in-person meeting after a brief period of rapport-building. They would propose a relatively inexpensive outing, such as a movie or a play at a niche theater. The scammer would go so far as to provide a link to a specific page where the victim could supposedly purchase tickets for the event.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118796\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259.png\" alt=\"\" width=\"1266\" height=\"947\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259.png 1266w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259-300x224.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259-1024x766.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259-768x574.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259-200x150.png 200w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259-468x350.png 468w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259-740x554.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259-374x280.png 374w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165735\/report-20259-800x598.png 800w\" sizes=\"auto, (max-width: 1266px) 100vw, 1266px\"><\/a><\/p>\n<p>To enhance the site\u2019s perceived legitimacy, it even prompted the user to select their city of residence.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118797\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510.png\" alt=\"\" width=\"1600\" height=\"1200\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510.png 1600w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510-300x225.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510-1024x768.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510-768x576.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510-1536x1152.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510-200x150.png 200w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510-467x350.png 467w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510-740x555.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510-373x280.png 373w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165815\/report-202510-800x600.png 800w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\"><\/a><\/p>\n<p>However, once the \u201cticket payment\u201d was completed, both the booking site and the individual from the dating platform would vanish.<\/p>\n<p>A similar tactic was employed by scam sites selling tickets for escape rooms. The design of these pages closely mirrored legitimate websites to lower the target\u2019s guard.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118798\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511.png\" alt=\"\" width=\"1640\" height=\"1240\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511.png 1640w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511-300x227.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511-1024x774.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511-768x581.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511-1536x1161.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511-200x150.png 200w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511-463x350.png 463w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511-740x560.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511-370x280.png 370w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165856\/report-202511-800x605.png 800w\" sizes=\"auto, (max-width: 1640px) 100vw, 1640px\"><\/a><\/p>\n<p>Phishing pages masquerading as travel portals often capitalize on a sense of urgency, betting that a customer eager to book a \u201clast-minute deal\u201d will overlook an illegitimate URL. For example, the fraudulent page shown below offered exclusive tours of Japan, purportedly from a major Japanese tour operator.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165934\/report-202512.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118799\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165934\/report-202512.png\" alt=\"\" width=\"1266\" height=\"1018\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165934\/report-202512.png 1266w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165934\/report-202512-300x241.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165934\/report-202512-1024x823.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165934\/report-202512-768x618.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165934\/report-202512-435x350.png 435w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165934\/report-202512-740x595.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165934\/report-202512-348x280.png 348w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10165934\/report-202512-800x643.png 800w\" sizes=\"auto, (max-width: 1266px) 100vw, 1266px\"><\/a><\/p>\n<h3 id=\"sensitive-data-at-risk-phishing-via-government-services\">Sensitive data at risk: phishing via government services<\/h3>\n<p>To harvest users\u2019 personal data, attackers utilized a traditional phishing framework: fraudulent forms for document processing on sites posing as government portals. The visual design and content of these phishing pages meticulously replicated legitimate websites, offering the same services found on official sites. In Brazil, for instance, attackers collected personal data from individuals under the pretext of issuing a Rural Property Registration Certificate (CCIR).<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170015\/report-202513.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118800\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170015\/report-202513.png\" alt=\"\" width=\"723\" height=\"767\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170015\/report-202513.png 723w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170015\/report-202513-283x300.png 283w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170015\/report-202513-330x350.png 330w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170015\/report-202513-264x280.png 264w\" sizes=\"auto, (max-width: 723px) 100vw, 723px\"><\/a><\/p>\n<p>Through this method, fraudsters tried to gain access to the victim\u2019s highly sensitive information, including their individual taxpayer registry (CPF) number. This identifier serves as a unique key for every Brazilian national to access private accounts on government portals. It is also utilized in national databases and displayed on personal identification documents, making its interception particularly dangerous. Scammer access to this data poses a severe risk of identity theft, unauthorized access to government platforms, and financial exposure.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170046\/report-202514.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118801\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170046\/report-202514.png\" alt=\"\" width=\"720\" height=\"768\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170046\/report-202514.png 720w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170046\/report-202514-281x300.png 281w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170046\/report-202514-328x350.png 328w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170046\/report-202514-263x280.png 263w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\"><\/a><\/p>\n<p>Furthermore, users were at risk of direct financial loss: in certain instances, the attackers requested a \u201cprocessing fee\u201d to facilitate the issuance of the important document.<\/p>\n<p>Fraudsters also employed other methods to obtain CPF numbers. Specifically, we discovered phishing pages mimicking the official government service portal, which requires the CPF for sign-in.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170144\/report-202515.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118802\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170144\/report-202515.png\" alt=\"\" width=\"1180\" height=\"819\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170144\/report-202515.png 1180w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170144\/report-202515-300x208.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170144\/report-202515-1024x711.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170144\/report-202515-768x533.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170144\/report-202515-504x350.png 504w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170144\/report-202515-740x514.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170144\/report-202515-403x280.png 403w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170144\/report-202515-800x555.png 800w\" sizes=\"auto, (max-width: 1180px) 100vw, 1180px\"><\/a><\/p>\n<p>Another theme exploited by scammers involved government payouts. In 2025, Singaporean citizens received government vouchers ranging from $600 to $800 in honor of the country\u2019s 60th anniversary. To redeem these, users were required to sign in to the official program website. Fraudsters rushed to create web pages designed to mimic this site. Interestingly, the primary targets in this campaign were Telegram accounts, despite the fact that Telegram credentials were not a requirement for signing in to the legitimate portal.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170240\/report-202516.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118803\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170240\/report-202516.png\" alt=\"\" width=\"1013\" height=\"797\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170240\/report-202516.png 1013w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170240\/report-202516-300x236.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170240\/report-202516-768x604.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170240\/report-202516-445x350.png 445w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170240\/report-202516-740x582.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170240\/report-202516-356x280.png 356w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170240\/report-202516-800x629.png 800w\" sizes=\"auto, (max-width: 1013px) 100vw, 1013px\"><\/a><\/p>\n<p>We also identified a scam targeting users in Norway who were looking to renew or replace their driver\u2019s licenses. Upon opening a website masquerading as the official Norwegian Public Roads Administration website, visitors were prompted to enter their vehicle registration and phone numbers.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170312\/report-202517.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118804\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170312\/report-202517.png\" alt=\"\" width=\"1416\" height=\"838\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170312\/report-202517.png 1416w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170312\/report-202517-300x178.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170312\/report-202517-1024x606.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170312\/report-202517-768x455.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170312\/report-202517-591x350.png 591w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170312\/report-202517-740x438.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170312\/report-202517-473x280.png 473w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170312\/report-202517-800x473.png 800w\" sizes=\"auto, (max-width: 1416px) 100vw, 1416px\"><\/a><\/p>\n<p>Next, the victim was prompted for sensitive data, such as the personal identification number unique to every Norwegian citizen. By doing so, the attackers not only gained access to confidential information but also reinforced the illusion that the victim was interacting with an official website.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170338\/report-202518.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118805\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170338\/report-202518.png\" alt=\"\" width=\"552\" height=\"744\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170338\/report-202518.png 552w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170338\/report-202518-223x300.png 223w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170338\/report-202518-260x350.png 260w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170338\/report-202518-208x280.png 208w\" sizes=\"auto, (max-width: 552px) 100vw, 552px\"><\/a><\/p>\n<p>Once the personal data was submitted, a fraudulent page would appear, requesting a \u201cprocessing fee\u201d of 1200 kroner. If the victim entered their credit card details, the funds were transferred directly to the scammers with no possibility of recovery.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170413\/report-202519.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118806\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170413\/report-202519.png\" alt=\"\" width=\"567\" height=\"578\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170413\/report-202519.png 567w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170413\/report-202519-294x300.png 294w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170413\/report-202519-343x350.png 343w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170413\/report-202519-275x280.png 275w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170413\/report-202519-50x50.png 50w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\"><\/a><\/p>\n<p>In Germany, attackers used the pretext of filing tax returns to trick users into providing their email user names and passwords on phishing pages.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118807\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520.png\" alt=\"\" width=\"1033\" height=\"825\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520.png 1033w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520-300x240.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520-1024x818.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520-768x613.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520-500x400.png 500w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520-438x350.png 438w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520-740x591.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520-351x280.png 351w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170448\/report-202520-800x639.png 800w\" sizes=\"auto, (max-width: 1033px) 100vw, 1033px\"><\/a><\/p>\n<p>A call to urgent action is a classic tactic in phishing scenarios. When combined with the threat of losing property, these schemes become highly effective bait, distracting potential victims from noticing an incorrect URL or a poorly designed website. For example, a phishing warning regarding unpaid vehicle taxes was used as a tool by attackers targeting credentials for the UK government portal.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170523\/report-202521.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118808\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170523\/report-202521.png\" alt=\"\" width=\"697\" height=\"1131\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170523\/report-202521.png 697w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170523\/report-202521-185x300.png 185w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170523\/report-202521-631x1024.png 631w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170523\/report-202521-216x350.png 216w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170523\/report-202521-616x1000.png 616w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170523\/report-202521-173x280.png 173w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170523\/report-202521-555x900.png 555w\" sizes=\"auto, (max-width: 697px) 100vw, 697px\"><\/a><\/p>\n<p>We have observed that since the spring of 2025, there has been an increase in emails mimicking automated notifications from the Russian government services portal. These messages were distributed under the guise of application status updates and contained phishing links.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118809\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522.png\" alt=\"\" width=\"1889\" height=\"993\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522.png 1889w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522-1024x538.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522-768x404.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522-1536x807.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522-666x350.png 666w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522-740x389.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522-533x280.png 533w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170601\/report-202522-800x421.png 800w\" sizes=\"auto, (max-width: 1889px) 100vw, 1889px\"><\/a><\/p>\n<p>We also recorded vishing attacks targeting users of government portals. Victims were prompted to \u201cverify account security\u201d by calling a support number provided in the email. To lower the users\u2019 guard, the attackers included fabricated technical details in the emails, such as the IP address, device model, and timestamp of an alleged unauthorized sign-in.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118810\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523.png\" alt=\"\" width=\"1889\" height=\"450\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523.png 1889w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523-300x71.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523-1024x244.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523-768x183.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523-1536x366.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523-1469x350.png 1469w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523-740x176.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523-1175x280.png 1175w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170638\/report-202523-800x191.png 800w\" sizes=\"auto, (max-width: 1889px) 100vw, 1889px\"><\/a><\/p>\n<p>Last year, attackers also disguised vishing emails as notifications from microfinance institutions or credit bureaus regarding new loan applications. The scammers banked on the likelihood that the recipient had not actually applied for a loan. They would then prompt the victim to contact a fake support service via a spoofed support number.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118811\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524.png\" alt=\"\" width=\"1889\" height=\"993\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524.png 1889w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524-1024x538.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524-768x404.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524-1536x807.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524-666x350.png 666w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524-740x389.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524-533x280.png 533w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170708\/report-202524-800x421.png 800w\" sizes=\"auto, (max-width: 1889px) 100vw, 1889px\"><\/a><\/p>\n<h3 id=\"know-your-customer\">Know Your Customer<\/h3>\n<p>As an added layer of data security, many services now implement biometric verification (facial recognition, fingerprints, and retina scans), as well as identity document verification and digital signatures. To harvest this data, fraudsters create clones of popular platforms that utilize these verification protocols. We have previously <a href=\"https:\/\/securelist.com\/new-phishing-and-scam-trends-in-2025\/117217\/#Hunting%20for%20new%20data\" target=\"_blank\" rel=\"noopener\">detailed<\/a> the mechanics of this specific type of data theft.<\/p>\n<p>In 2025, we observed a surge in phishing attacks targeting users under the guise of Know Your Customer (KYC) identity verification. KYC protocols rely on a specific set of user data for identification. By spoofing the pages of payment services such as Vivid Money, fraudsters harvested the information required to pass KYC authentication.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118812\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525.png\" alt=\"\" width=\"1600\" height=\"1200\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525.png 1600w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525-300x225.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525-1024x768.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525-768x576.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525-1536x1152.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525-200x150.png 200w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525-467x350.png 467w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525-740x555.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525-373x280.png 373w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10170758\/report-202525-800x600.png 800w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\"><\/a><\/p>\n<p>Notably, this threat also impacted users of various other platforms that utilize KYC procedures.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173834\/report-202526.jpg\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118813\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173834\/report-202526.jpg\" alt=\"\" width=\"765\" height=\"358\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173834\/report-202526.jpg 765w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173834\/report-202526-300x140.jpg 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173834\/report-202526-748x350.jpg 748w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173834\/report-202526-740x346.jpg 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173834\/report-202526-598x280.jpg 598w\" sizes=\"auto, (max-width: 765px) 100vw, 765px\"><\/a><\/p>\n<p>A distinctive feature of attacks on the KYC process is that, in addition to the victim\u2019s full name, email address, and phone number, phishers request photos of their passport or face, sometimes from multiple angles. If this information falls into the hands of threat actors, the consequences extend beyond the loss of account access; the victim\u2019s credentials can be sold on dark web marketplaces, a trend we have <a href=\"https:\/\/securelist.com\/what-happens-to-stolen-data-after-phishing-attacks\/118180\/#Selling%20data%20on%20dark%20web%20markets\" target=\"_blank\" rel=\"noopener\">highlighted in previous reports<\/a>.<\/p>\n<h3 id=\"messaging-app-phishing\">Messaging app phishing<\/h3>\n<p>Account hijacking on messaging platforms like WhatsApp and Telegram remains one of the primary objectives of phishing and scam operations. While traditional tactics, such as suspicious links embedded in messages, have been well-known for some time, the methods used to steal credentials are becoming increasingly sophisticated.<\/p>\n<p>For instance, Telegram users were <a href=\"https:\/\/www.kaspersky.com\/blog\/telegram-mini-app-phishing\/55041\/\" target=\"_blank\" rel=\"noopener\">invited to participate in a prize giveaway<\/a> purportedly hosted by a famous athlete. This phishing attack, which masqueraded as an NFT giveaway, was executed through a Telegram Mini App. This marks a shift in tactics, as attackers previously relied on external web pages for these types of schemes.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173921\/report-202527.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118814\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173921\/report-202527.png\" alt=\"\" width=\"553\" height=\"905\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173921\/report-202527.png 553w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173921\/report-202527-183x300.png 183w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173921\/report-202527-214x350.png 214w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173921\/report-202527-171x280.png 171w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10173921\/report-202527-550x900.png 550w\" sizes=\"auto, (max-width: 553px) 100vw, 553px\"><\/a><\/p>\n<p>In 2025, new variations emerged within the familiar framework of distributing phishing links via Telegram. For example, we observed prompts inviting users to vote for the \u201cbest dentist\u201d or \u201cbest COO\u201d in town.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118815\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2.png\" alt=\"\" width=\"1240\" height=\"1715\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2.png 1240w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2-217x300.png 217w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2-740x1024.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2-768x1062.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2-1111x1536.png 1111w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2-253x350.png 253w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2-723x1000.png 723w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2-202x280.png 202w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174004\/report-202528-1_28-2-651x900.png 651w\" sizes=\"auto, (max-width: 1240px) 100vw, 1240px\"><\/a><\/p>\n<p>The most prevalent theme in these voting-based schemes, children\u2019s contests, was distributed primarily through WhatsApp. These phishing pages showed little variety; attackers utilized a standardized website design and set of \u201cbait\u201d photos, simply localizing the language based on the target audience\u2019s geographic location.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118816\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2.png\" alt=\"\" width=\"1640\" height=\"1926\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2.png 1640w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2-255x300.png 255w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2-872x1024.png 872w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2-768x902.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2-1308x1536.png 1308w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2-298x350.png 298w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2-740x869.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2-238x280.png 238w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174050\/report-202529-1_29-2-766x900.png 766w\" sizes=\"auto, (max-width: 1640px) 100vw, 1640px\"><\/a><\/p>\n<p>To participate in the vote, the victim was required to enter the phone number linked to their WhatsApp account.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118817\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530.png\" alt=\"\" width=\"1402\" height=\"702\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530.png 1402w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530-300x150.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530-1024x513.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530-768x385.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530-1200x600.png 1200w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530-699x350.png 699w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530-740x371.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530-559x280.png 559w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174127\/report-202530-800x401.png 800w\" sizes=\"auto, (max-width: 1402px) 100vw, 1402px\"><\/a><\/p>\n<p>They were then prompted to provide a one-time authentication code for the messaging app.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174202\/report-202531.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118818\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174202\/report-202531.png\" alt=\"\" width=\"1396\" height=\"717\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174202\/report-202531.png 1396w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174202\/report-202531-300x154.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174202\/report-202531-1024x526.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174202\/report-202531-768x394.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174202\/report-202531-681x350.png 681w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174202\/report-202531-740x380.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174202\/report-202531-545x280.png 545w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174202\/report-202531-800x411.png 800w\" sizes=\"auto, (max-width: 1396px) 100vw, 1396px\"><\/a><\/p>\n<p>The following are several other popular methods used by fraudsters to hijack user credentials.<\/p>\n<p>In China, phishing pages meticulously replicated the WhatsApp interface. Victims were notified that their accounts had purportedly been flagged for \u201cillegal activity\u201d, necessitating \u201cadditional verification\u201d.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118819\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532.png\" alt=\"\" width=\"1372\" height=\"763\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532.png 1372w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532-300x167.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532-1024x569.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532-768x427.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532-270x150.png 270w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532-629x350.png 629w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532-740x412.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532-503x280.png 503w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174239\/report-202532-800x445.png 800w\" sizes=\"auto, (max-width: 1372px) 100vw, 1372px\"><\/a><\/p>\n<p>The victim was redirected to a page to enter their phone number, followed by a request for their authorization code.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174316\/report-202533.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118820\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174316\/report-202533.png\" alt=\"\" width=\"1357\" height=\"766\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174316\/report-202533.png 1357w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174316\/report-202533-300x169.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174316\/report-202533-1024x578.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174316\/report-202533-768x434.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174316\/report-202533-620x350.png 620w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174316\/report-202533-740x418.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174316\/report-202533-496x280.png 496w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174316\/report-202533-800x452.png 800w\" sizes=\"auto, (max-width: 1357px) 100vw, 1357px\"><\/a><\/p>\n<p>In other instances, users received messages allegedly from WhatsApp support regarding account authentication via SMS. As with the other scenarios described, the attackers\u2019 objective was to obtain the authentication code required to hijack the account.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174349\/report-202534.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118821\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174349\/report-202534.png\" alt=\"\" width=\"597\" height=\"913\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174349\/report-202534.png 597w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174349\/report-202534-196x300.png 196w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174349\/report-202534-229x350.png 229w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174349\/report-202534-183x280.png 183w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174349\/report-202534-588x900.png 588w\" sizes=\"auto, (max-width: 597px) 100vw, 597px\"><\/a><\/p>\n<p>Fraudsters enticed WhatsApp users with an offer to link an app designed to \u201csync communications\u201d with business contacts.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174423\/report-202535.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118822\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174423\/report-202535.png\" alt=\"\" width=\"1248\" height=\"958\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174423\/report-202535.png 1248w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174423\/report-202535-300x230.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174423\/report-202535-1024x786.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174423\/report-202535-768x590.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174423\/report-202535-456x350.png 456w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174423\/report-202535-740x568.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174423\/report-202535-365x280.png 365w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174423\/report-202535-800x614.png 800w\" sizes=\"auto, (max-width: 1248px) 100vw, 1248px\"><\/a><\/p>\n<p>To increase the perceived legitimacy of the phishing site, the attackers even prompted users to create custom credentials for the page.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174456\/report-202536.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118823\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174456\/report-202536.png\" alt=\"\" width=\"1483\" height=\"783\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174456\/report-202536.png 1483w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174456\/report-202536-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174456\/report-202536-1024x541.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174456\/report-202536-768x405.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174456\/report-202536-663x350.png 663w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174456\/report-202536-740x391.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174456\/report-202536-530x280.png 530w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174456\/report-202536-800x422.png 800w\" sizes=\"auto, (max-width: 1483px) 100vw, 1483px\"><\/a><\/p>\n<p>After that, the user was required to \u201cpurchase a subscription\u201d to activate the application. This allowed the scammers to harvest credit card data, leaving the victim without the promised service.<\/p>\n<p>To lure Telegram users, phishers distributed invitations to online dating chats.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174531\/report-202537.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118824\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174531\/report-202537.png\" alt=\"\" width=\"580\" height=\"696\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174531\/report-202537.png 580w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174531\/report-202537-250x300.png 250w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174531\/report-202537-292x350.png 292w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174531\/report-202537-233x280.png 233w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\"><\/a><\/p>\n<p>Attackers also heavily leveraged the promise of free Telegram Premium subscriptions. While these phishing pages were <a href=\"https:\/\/securelist.com\/spam-and-phishing-report-2024\/115536\/#Telegram%20Premium\" target=\"_blank\" rel=\"noopener\">previously observed<\/a> only in Russian and English, the linguistic scope of these campaigns expanded significantly this year. As in previous iterations, activating the subscription required the victim to sign in to their account, which could result in the loss of account access.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174616\/report-202538-1_38-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118825\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174616\/report-202538-1_38-2.png\" alt=\"\" width=\"1009\" height=\"698\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174616\/report-202538-1_38-2.png 1009w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174616\/report-202538-1_38-2-300x208.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174616\/report-202538-1_38-2-768x531.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174616\/report-202538-1_38-2-506x350.png 506w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174616\/report-202538-1_38-2-740x512.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174616\/report-202538-1_38-2-405x280.png 405w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174616\/report-202538-1_38-2-800x553.png 800w\" sizes=\"auto, (max-width: 1009px) 100vw, 1009px\"><\/a><\/p>\n<h3 id=\"exploiting-the-chatgpt-hype\">Exploiting the ChatGPT hype<\/h3>\n<p>Artificial intelligence is increasingly being leveraged by attackers as bait. For example, we have identified fraudulent websites mimicking the official payment page for ChatGPT Plus subscriptions.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174649\/report-202539.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118826\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174649\/report-202539.png\" alt=\"\" width=\"1092\" height=\"598\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174649\/report-202539.png 1092w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174649\/report-202539-300x164.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174649\/report-202539-1024x561.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174649\/report-202539-768x421.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174649\/report-202539-639x350.png 639w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174649\/report-202539-740x405.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174649\/report-202539-511x280.png 511w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174649\/report-202539-800x438.png 800w\" sizes=\"auto, (max-width: 1092px) 100vw, 1092px\"><\/a><\/p>\n<p>Social media marketing through LLMs was also a potential focal point for user interest. Scammers offered \u201cspecialized prompt kits\u201d designed for social media growth; however, once payment was received, they vanished, leaving victims without the prompts or their money.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174732\/report-202540.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118827\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174732\/report-202540.png\" alt=\"\" width=\"1149\" height=\"1199\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174732\/report-202540.png 1149w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174732\/report-202540-287x300.png 287w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174732\/report-202540-981x1024.png 981w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174732\/report-202540-768x801.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174732\/report-202540-335x350.png 335w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174732\/report-202540-740x772.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174732\/report-202540-268x280.png 268w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10174732\/report-202540-800x835.png 800w\" sizes=\"auto, (max-width: 1149px) 100vw, 1149px\"><\/a><\/p>\n<p>The promise of easy income through neural networks has emerged as another tactic to attract potential victims. Fraudsters promoted using ChatGPT to place bets, promising that the bot would do all the work while the user collected the profits. These services were offered at a \u201cspecial price\u201d valid for only 15 minutes after the page was opened. This narrow window prevented the victim from critically evaluating the impulse purchase.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175334\/report-202541-1_41-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118828\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175334\/report-202541-1_41-2.png\" alt=\"\" width=\"740\" height=\"810\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175334\/report-202541-1_41-2.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175334\/report-202541-1_41-2-274x300.png 274w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175334\/report-202541-1_41-2-320x350.png 320w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175334\/report-202541-1_41-2-256x280.png 256w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\"><\/a><\/p>\n<h3 id=\"job-opportunities-with-a-catch\">Job opportunities with a catch<\/h3>\n<p>To attract potential victims, scammers exploited the theme of employment by offering high-paying remote positions. Applicants responding to these advertisements did more than just disclose their personal data; in some cases, fraudsters requested a small sum under the pretext of document processing or administrative fees. To convince victims that the offer was legitimate, attackers impersonated major brands, leveraging household names to build trust. This allowed them to lower the victims\u2019 guard, even when the employment terms sounded too good to be true.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175411\/report-202542.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118829\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175411\/report-202542.png\" alt=\"\" width=\"1202\" height=\"950\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175411\/report-202542.png 1202w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175411\/report-202542-300x237.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175411\/report-202542-1024x809.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175411\/report-202542-768x607.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175411\/report-202542-443x350.png 443w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175411\/report-202542-740x585.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175411\/report-202542-354x280.png 354w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175411\/report-202542-800x632.png 800w\" sizes=\"auto, (max-width: 1202px) 100vw, 1202px\"><\/a><\/p>\n<p>We also observed schemes where, after obtaining a victim\u2019s data via a phishing site, scammers would follow up with a phone call \u2013 a tactic aimed at tricking the user into disclosing additional personal data.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175444\/report-202543.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118830\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175444\/report-202543.png\" alt=\"\" width=\"631\" height=\"768\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175444\/report-202543.png 631w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175444\/report-202543-246x300.png 246w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175444\/report-202543-288x350.png 288w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175444\/report-202543-230x280.png 230w\" sizes=\"auto, (max-width: 631px) 100vw, 631px\"><\/a><\/p>\n<p>By analyzing current job market trends, threat actors also targeted popular career paths to steal messaging app credentials. These phishing schemes were tailored to specific regional markets. For example, in the UAE, fake \u201cemployment agency\u201d websites were circulating.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175521\/report-202544-1_44-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118831\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175521\/report-202544-1_44-2.png\" alt=\"\" width=\"1240\" height=\"1501\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175521\/report-202544-1_44-2.png 1240w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175521\/report-202544-1_44-2-248x300.png 248w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175521\/report-202544-1_44-2-846x1024.png 846w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175521\/report-202544-1_44-2-768x930.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175521\/report-202544-1_44-2-289x350.png 289w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175521\/report-202544-1_44-2-740x896.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175521\/report-202544-1_44-2-231x280.png 231w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175521\/report-202544-1_44-2-744x900.png 744w\" sizes=\"auto, (max-width: 1240px) 100vw, 1240px\"><\/a><\/p>\n<p>In a more sophisticated variation, users were asked to complete a questionnaire that required the phone number linked to their Telegram account.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175601\/report-202545.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118832\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175601\/report-202545.png\" alt=\"\" width=\"1440\" height=\"757\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175601\/report-202545.png 1440w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175601\/report-202545-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175601\/report-202545-1024x538.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175601\/report-202545-768x404.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175601\/report-202545-666x350.png 666w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175601\/report-202545-740x389.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175601\/report-202545-533x280.png 533w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175601\/report-202545-800x421.png 800w\" sizes=\"auto, (max-width: 1440px) 100vw, 1440px\"><\/a><\/p>\n<p>To complete the registration, users were prompted for a code which, in reality, was a Telegram authorization code.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175643\/report-202546.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118833\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175643\/report-202546.png\" alt=\"\" width=\"1440\" height=\"760\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175643\/report-202546.png 1440w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175643\/report-202546-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175643\/report-202546-1024x540.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175643\/report-202546-768x405.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175643\/report-202546-663x350.png 663w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175643\/report-202546-740x391.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175643\/report-202546-531x280.png 531w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175643\/report-202546-800x422.png 800w\" sizes=\"auto, (max-width: 1440px) 100vw, 1440px\"><\/a><\/p>\n<p>Notably, the registration process did not end there; the site continued to request additional information to \u201cset up an account\u201d on the fraudulent platform. This served to keep victims in the dark, maintaining their trust in the malicious site\u2019s perceived legitimacy.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175722\/report-202547.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118834\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175722\/report-202547.png\" alt=\"\" width=\"1440\" height=\"764\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175722\/report-202547.png 1440w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175722\/report-202547-300x159.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175722\/report-202547-1024x543.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175722\/report-202547-768x407.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175722\/report-202547-660x350.png 660w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175722\/report-202547-740x393.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175722\/report-202547-528x280.png 528w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175722\/report-202547-800x424.png 800w\" sizes=\"auto, (max-width: 1440px) 100vw, 1440px\"><\/a><\/p>\n<p>After finishing the registration, the victim was told to wait 24 hours for \u201cverification\u201d, though the scammers\u2019 primary objective, hijacking the Telegram account, had already been achieved.<\/p>\n<p>Simpler phishing schemes were also observed, where users were redirected to a page mimicking the Telegram interface. By entering their phone number and authorization code, victims lost access to their accounts.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175801\/report-202548.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118835\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175801\/report-202548.png\" alt=\"\" width=\"514\" height=\"606\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175801\/report-202548.png 514w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175801\/report-202548-254x300.png 254w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175801\/report-202548-297x350.png 297w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175801\/report-202548-237x280.png 237w\" sizes=\"auto, (max-width: 514px) 100vw, 514px\"><\/a><\/p>\n<p>Job seekers were not the only ones targeted by scammers. Employers\u2019 accounts were also in the crosshairs, specifically on a major Russian recruitment portal. On a counterfeit page, the victim was asked to \u201cverify their account\u201d in order to post a job listing, which required them to enter their actual sign-in credentials for the legitimate site.<\/p>\n<h2 id=\"spam-in-2025\">Spam in 2025<\/h2>\n<h3 id=\"malicious-attachments\">Malicious attachments<\/h3>\n<h4 id=\"password-protected-archives\">Password-protected archives<\/h4>\n<p>Attackers <a href=\"https:\/\/securelist.com\/spam-and-phishing-report-2024\/115536\/#Password-protected%20archives\" target=\"_blank\" rel=\"noopener\">began aggressively distributing<\/a> messages with password-protected malicious archives in 2024. Throughout 2025, these archives remained a popular vector for spreading malware, and we observed a variety of techniques designed to bypass security solutions.<\/p>\n<p>For example, threat actors sent emails impersonating law firms, threatening victims with legal action over alleged \u201cunauthorized domain name use\u201d. The recipient was prompted to review potential pre-trial settlement options detailed in an attached document. The attachment consisted of an unprotected archive containing a secondary password-protected archive and a file with the password. Disguised as a legal document within this inner archive was a malicious WSF file, which installed a Trojan into the system via startup. The Trojan then stealthily downloaded and installed Tor, which allowed it to regularly exfiltrate screenshots to the attacker-controlled C2 server.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118836\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549.png\" alt=\"\" width=\"1885\" height=\"969\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549-300x154.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549-1024x526.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549-768x395.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549-1536x790.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549-681x350.png 681w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549-740x380.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549-545x280.png 545w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175853\/report-202549-800x411.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>In addition to archives, we also encountered password-protected PDF files containing malicious links over the past year.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118837\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550.png\" alt=\"\" width=\"1885\" height=\"990\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550-1024x538.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550-768x403.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550-1536x807.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550-666x350.png 666w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550-740x389.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550-533x280.png 533w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10175935\/report-202550-800x420.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<h4 id=\"e-signature-service-exploits\">E-signature service exploits<\/h4>\n<p>Emails using the pretext of \u201csigning a document\u201d to coerce users into clicking phishing links or opening malicious attachments were quite common in 2025. The most prevalent scheme involved fraudulent notifications from electronic signature services. While these were primarily used for phishing, one specific malware sample identified within this campaign is of particular interest.<\/p>\n<p>The email, purportedly sent from a well-known document-sharing platform, notified the recipient that they had been granted access to a \u201ccontract\u201d attached to the message. However, the attachment was not the expected PDF; instead, it was a nested email file named after the contract. The body of this nested message mirrored the original, but its attachment utilized a double extension: a malicious SVG file containing a Trojan was disguised as a PDF document. This multi-layered approach was likely an attempt to obfuscate the malware and bypass security filters.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118838\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2.png\" alt=\"\" width=\"1885\" height=\"1972\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2-287x300.png 287w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2-979x1024.png 979w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2-768x803.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2-1468x1536.png 1468w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2-335x350.png 335w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2-740x774.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2-268x280.png 268w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180025\/report-202551-1_51-2-800x837.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<h4 id=\"business-correspondence-impersonating-industrial-companies\">\u201cBusiness correspondence\u201d impersonating industrial companies<\/h4>\n<p>In the summer of last year, we observed mailshots sent in the name of various existing industrial enterprises. These emails contained DOCX attachments embedded with Trojans. Attackers coerced victims into opening the malicious files under the pretext of routine business tasks, such as signing a contract or drafting a report.<\/p>\n<p>The authors of this malicious campaign attempted to lower users\u2019 guard by using legitimate industrial sector domains in the \u201cFrom\u201d address. Furthermore, the messages were routed through the mail servers of a reputable cloud provider, ensuring the technical metadata appeared authentic. Consequently, even a cautious user could mistake the email for a genuine communication, open the attachment, and compromise their device.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118839\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552.png\" alt=\"\" width=\"1885\" height=\"984\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552-300x157.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552-1024x535.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552-768x401.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552-1536x802.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552-670x350.png 670w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552-740x386.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552-536x280.png 536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180118\/report-202552-800x418.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<h4 id=\"attacks-on-hospitals\">Attacks on hospitals<\/h4>\n<p>Hospitals were a popular target for threat actors this past year: they were <a href=\"https:\/\/securelist.ru\/bo-team-upgrades-brockendoor-and-zeronetkit-backdoors\/113536\/\" target=\"_blank\" rel=\"noopener\">targeted with malicious emails<\/a> impersonating well-known insurance providers. Recipients were threatened with legal action regarding alleged \u201csubstandard medical services\u201d. The attachments, described as \u201cmedical records and a written complaint from an aggrieved patient\u201d, were actually malware. Our solutions detect this threat as Backdoor.Win64.BrockenDoor, a backdoor capable of harvesting system information and executing malicious commands on the infected device.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118840\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553.png\" alt=\"\" width=\"1885\" height=\"958\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553-300x152.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553-1024x520.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553-768x390.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553-1536x781.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553-689x350.png 689w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553-740x376.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553-551x280.png 551w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180212\/report-202553-800x407.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>We also came across emails with a different narrative. In those instances, medical staff were requested to facilitate a patient transfer from another hospital for ongoing observation and treatment. These messages referenced attached medical files containing diagnostic and treatment history, which were actually archives containing malicious payloads.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118841\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554.png\" alt=\"\" width=\"1885\" height=\"984\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554-300x157.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554-1024x535.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554-768x401.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554-1536x802.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554-670x350.png 670w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554-740x386.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554-536x280.png 536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180249\/report-202554-800x418.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>To bolster the perceived legitimacy of these communications, attackers did more than just impersonate famous insurers and medical institutions; they registered look-alike domains that mimicked official organizations\u2019 domains by appending keywords such as \u201c-insurance\u201d or \u201c-med.\u201d Furthermore, to lower the victims\u2019 guard, scammers included a fake \u201cScanned by Email Security\u201d label.<\/p>\n<h4 id=\"messages-containing-instructions-to-run-malicious-scripts\">Messages containing instructions to run malicious scripts<\/h4>\n<p>Last year, we observed unconventional infection chains targeting end-user devices. Threat actors continued to distribute <a href=\"https:\/\/www.kaspersky.com\/blog\/what-is-clickfix\/53348\/\" target=\"_blank\" rel=\"noopener\">instructions for downloading and executing malicious code<\/a>, rather than attaching the malware files directly. To convince the recipient to follow these steps, attackers typically utilized a lure involving a \u201ccritical software update\u201d or a \u201csystem patch\u201d to fix a purported vulnerability. Generally, the first step in the instructions required launching the command prompt with administrative privileges, while the second involved entering a command to download and execute the malware: either a script or an executable file.<\/p>\n<p>In some instances, these instructions were contained within a PDF file. The victim was prompted to copy a command into PowerShell that was neither obfuscated nor hidden. Such schemes target non-technical users who would likely not understand the command\u2019s true intent and would unknowingly infect their own devices.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118842\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555.png\" alt=\"\" width=\"1885\" height=\"993\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555-1024x539.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555-768x405.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555-1536x809.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555-664x350.png 664w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555-740x390.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555-532x280.png 532w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180336\/report-202555-800x421.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<h3 id=\"scams\">Scams<\/h3>\n<h4 id=\"law-enforcement-impersonation-scams-in-the-russian-web-segment\">Law enforcement impersonation scams in the Russian web segment<\/h4>\n<p>In 2025, extortion campaigns involving actors posing as law enforcement \u2013 a trend <a href=\"https:\/\/securelist.com\/spam-phishing-scam-report-2022\/108692\/#Blackmail%20in%20the%20name%20of%20law%20enforcement%20agencies\" target=\"_blank\" rel=\"noopener\">previously more prevalent in Europe<\/a> \u2013 were adapted to target users across the Commonwealth of Independent States.<\/p>\n<p>For example, <a href=\"https:\/\/www.kaspersky.com\/blog\/blackmail-and-scam-in-different-countries\/54724\/\" target=\"_blank\" rel=\"noopener\">we identified messages<\/a> disguised as criminal subpoenas or summonses purportedly issued by Russian law enforcement agencies. However, the specific departments cited in these emails never actually existed. The content of these \u201csummonses\u201d would also likely raise red flags for a cautious user. This blackmail scheme relied on the victim, in their state of panic, not scrutinizing the contents of the fake summons.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118843\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557.png\" alt=\"\" width=\"1885\" height=\"992\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557-1024x539.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557-768x404.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557-1536x808.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557-665x350.png 665w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557-740x389.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557-532x280.png 532w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180439\/report-202557-800x421.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>To intimidate recipients, the attackers referenced legal frameworks and added forged signatures and seals to the \u201csubpoenas\u201d. In reality, neither the cited statutes nor the specific civil service positions exist in Russia.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118844\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558.png\" alt=\"\" width=\"1885\" height=\"992\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558-1024x539.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558-768x404.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558-1536x808.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558-665x350.png 665w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558-740x389.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558-532x280.png 532w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180515\/report-202558-800x421.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>We observed similar attacks \u2013 employing fabricated government agencies and fictitious legal acts \u2013 in other CIS countries, such as Belarus.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118845\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559.png\" alt=\"\" width=\"1885\" height=\"661\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559-300x105.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559-1024x359.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559-768x269.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559-1536x539.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559-998x350.png 998w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559-740x259.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559-798x280.png 798w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180547\/report-202559-800x281.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<h4 id=\"fraudulent-investment-schemes\">Fraudulent investment schemes<\/h4>\n<p>Threat actors continued to aggressively exploit investment themes in their email scams. These emails typically promise stable, remote income through \u201cexclusive\u201d investment opportunities. This remains one of the most high-volume and adaptable categories of email scams. Threat actors embedded fraudulent links both directly within the message body and inside various types of attachments: PDF, DOC, PPTX, and PNG files. Furthermore, they increasingly leveraged legitimate Google services, such as Google Docs, YouTube, and Google Forms, to distribute these communications. The link led to the site of the \u201cproject\u201d where the victim was prompted to provide their phone number and email. Subsequently, users were invited to invest in a non-existent project.<\/p>\n<p><a href=\"https:\/\/securelist.com\/spam-phishing-report-2023\/112015\/#Scams\" target=\"_blank\" rel=\"noopener\">We have previously documented these mailshots<\/a>: they were originally targeted at Russian-speaking users and were primarily distributed under the guise of major financial institutions. However, in 2025, this investment-themed scam expanded into other CIS countries and Europe. Furthermore, the range of industries that spammers impersonated grew significantly. For instance, in their emails, attackers began soliciting investments for projects supposedly led by major industrial-sector companies in Kazakhstan and the Czech Republic.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180642\/report-202560-1_60-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118846\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180642\/report-202560-1_60-2.png\" alt=\"\" width=\"1040\" height=\"1251\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180642\/report-202560-1_60-2.png 1040w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180642\/report-202560-1_60-2-249x300.png 249w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180642\/report-202560-1_60-2-851x1024.png 851w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180642\/report-202560-1_60-2-768x924.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180642\/report-202560-1_60-2-291x350.png 291w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180642\/report-202560-1_60-2-740x890.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180642\/report-202560-1_60-2-233x280.png 233w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180642\/report-202560-1_60-2-748x900.png 748w\" sizes=\"auto, (max-width: 1040px) 100vw, 1040px\"><\/a><\/p>\n<h4 id=\"fraudulent-brand-partner-recruitment\">Fraudulent \u201cbrand partner\u201d recruitment<\/h4>\n<p>This specific scam operates through a multi-stage workflow. First, the target company receives a communication from an individual claiming to represent a well-known global brand, inviting them to register as a certified supplier or business partner. To bolster the perceived authenticity of the offer, the fraudsters send the victim an extensive set of forged documents. Once these documents are signed, the victim is instructed to pay a \u201cdeposit\u201d, which the attackers claim will be fully refunded once the partnership is officially established.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118847\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561.png\" alt=\"\" width=\"1885\" height=\"984\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561-300x157.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561-1024x535.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561-768x401.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561-1536x802.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561-670x350.png 670w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561-740x386.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561-536x280.png 536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180722\/report-202561-800x418.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>These mailshots were <a href=\"https:\/\/www.kaspersky.com\/blog\/airline-brands-scheme\/54539\/\" target=\"_blank\" rel=\"noopener\">first detected in 2025<\/a> and have rapidly become one of the most prevalent forms of email-based fraud. In December 2025 alone, we blocked over 80,000 such messages. These campaigns specifically targeted the B2B sector and were notable for their high level of variation \u2013 ranging from their technical properties to the diversity of the message content and the wide array of brands the attackers chose to impersonate.<\/p>\n<h4 id=\"fraudulent-overdue-rent-notices\">Fraudulent overdue rent notices<\/h4>\n<p>Last year, we identified a new theme in email scams: recipients were notified that the payment deadline for a leased property had expired and were urged to settle the \u201cdebt\u201d immediately. To prevent the victim from sending funds to their actual landlord, the email claimed that banking details had changed. The \u201cdebtor\u201d was then instructed to request the new payment information \u2013 which, of course, belonged to the fraudsters. These mailshots primarily targeted French-speaking countries; however, in December 2025, we discovered a similar scam variant in German.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118848\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562.png\" alt=\"\" width=\"1885\" height=\"993\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562-1024x539.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562-768x405.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562-1536x809.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562-664x350.png 664w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562-740x390.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562-532x280.png 532w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180807\/report-202562-800x421.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<h4 id=\"qr-codes-in-scam-letters\">QR codes in scam letters<\/h4>\n<p>In 2025, we observed a trend where QR codes were utilized not only in phishing attempts but also in extortion emails. <a href=\"https:\/\/securelist.com\/spam-phishing-report-2023\/112015\/#Blackmail\" target=\"_blank\" rel=\"noopener\">In a classic blackmail scam<\/a>, the user is typically intimidated by claims that hackers have gained access to sensitive data. To prevent the public release of this information, the attackers demand a ransom payment to their cryptocurrency wallet.<\/p>\n<p>Previously, to bypass email filters, scammers attempted to obfuscate the wallet address by using <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/noise-contamination\/\" target=\"_blank\" rel=\"noopener\">various noise contamination techniques<\/a>. In last year\u2019s campaigns, however, scammers shifted to including a QR code that contained the cryptocurrency wallet address.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118849\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563.png\" alt=\"\" width=\"1885\" height=\"993\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563-1024x539.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563-768x405.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563-1536x809.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563-664x350.png 664w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563-740x390.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563-532x280.png 532w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180903\/report-202563-800x421.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<h3 id=\"news-agenda\">News agenda<\/h3>\n<p><a href=\"https:\/\/securelist.com\/spam-and-phishing-report-2024\/115536\/#News%20agenda\" target=\"_blank\" rel=\"noopener\">As in previous years<\/a>, spammers in 2025 aggressively integrated current events into their fraudulent messaging to increase engagement.<\/p>\n<p>For example, following the launch of $TRUMP memecoins surrounding Donald Trump\u2019s inauguration, we identified scam campaigns promoting the \u201cTrump Meme Coin\u201d and \u201cTrump Digital Trading Cards\u201d. In these instances, scammers enticed victims to click a link to claim \u201cfree NFTs\u201d.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118850\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564.png\" alt=\"\" width=\"1885\" height=\"992\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564-1024x539.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564-768x404.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564-1536x808.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564-665x350.png 665w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564-740x389.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564-532x280.png 532w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10180956\/report-202564-800x421.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>We also observed ads offering educational credentials. Spammers posted these ads as comments on legacy, unmoderated forums; this tactic ensured that notifications were automatically pushed to all users subscribed to the thread. These notifications either displayed the fraudulent link directly in the comment preview or alerted users to a new post that redirected them to spammers\u2019 sites.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118851\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565.png\" alt=\"\" width=\"840\" height=\"845\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565.png 840w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565-298x300.png 298w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565-150x150.png 150w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565-768x773.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565-348x350.png 348w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565-740x744.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565-278x280.png 278w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565-800x805.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181030\/report-202565-50x50.png 50w\" sizes=\"auto, (max-width: 840px) 100vw, 840px\"><\/a><\/p>\n<p>In the summer, when the wedding of Amazon founder Jeff Bezos became a major global news story, users began receiving <a href=\"https:\/\/securelist.com\/tag\/nigerian-spam\/\">Nigerian-style scam messages<\/a> purportedly from Bezos himself, as well as from his former wife, MacKenzie Scott. These emails promised recipients substantial sums of money, framed either as charitable donations or corporate compensation from Amazon.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118852\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566.png\" alt=\"\" width=\"1885\" height=\"984\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566-300x157.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566-1024x535.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566-768x401.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566-1536x802.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566-670x350.png 670w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566-740x386.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566-536x280.png 536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181219\/report-202566-800x418.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>During the BLACKPINK world tour, we observed a wave of spam advertising \u201cluggage scooters\u201d. The scammers claimed these were the exact motorized suitcases used by the band members during their performances.<\/p>\n<p>Finally, in the fall of 2025, traditionally timed to coincide with the launch of new iPhones, we identified scam campaigns featuring surveys that offered participants a chance to \u201cwin\u201d a fictitious iPhone 17 Pro.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181256\/report-202568.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118853\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181256\/report-202568.png\" alt=\"\" width=\"804\" height=\"760\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181256\/report-202568.png 804w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181256\/report-202568-300x284.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181256\/report-202568-768x726.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181256\/report-202568-370x350.png 370w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181256\/report-202568-740x700.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181256\/report-202568-296x280.png 296w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181256\/report-202568-800x756.png 800w\" sizes=\"auto, (max-width: 804px) 100vw, 804px\"><\/a><\/p>\n<p>After completing a brief survey, the user was prompted to provide their contact information and physical address, as well as pay a \u201cdelivery fee\u201d \u2013 which was the scammers\u2019 ultimate objective. Upon entering their credit card details into the fraudulent site, the victim risked losing not only the relatively small delivery charge but also the entire balance in their bank account.<\/p>\n<p>The widespread popularity of Ozempic was also reflected in spam campaigns; users were bombarded with offers to purchase versions of the drug or questionable alternatives.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118854\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569.png\" alt=\"\" width=\"1885\" height=\"932\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569-300x148.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569-1024x506.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569-768x380.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569-1536x759.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569-708x350.png 708w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569-740x366.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569-566x280.png 566w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181334\/report-202569-800x396.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>Localized news events also fall under the scrutiny of fraudsters, serving as the basis for scam narratives. For instance, last summer, coinciding with the opening of the tax season in South Africa, we began detecting phishing emails impersonating the South African Revenue Service (SARS). These messages notified taxpayers of alleged \u201coutstanding balances\u201d that required immediate settlement.<\/p>\n<h3 id=\"methods-of-distributing-email-threats\">Methods of distributing email threats<\/h3>\n<h4 id=\"google-services\">Google services<\/h4>\n<p>In 2025, threat actors increasingly leveraged various Google services to distribute email-based threats. We observed the exploitation of Google Calendar: scammers would create an event containing a WhatsApp contact number in the description and send an invitation to the target. For instance, companies received emails regarding product inquiries that prompted them to move the conversation to the messaging app to discuss potential \u201ccollaboration\u201d.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118855\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570.png\" alt=\"\" width=\"1885\" height=\"972\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570-300x155.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570-1024x528.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570-768x396.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570-1536x792.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570-679x350.png 679w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570-740x382.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570-543x280.png 543w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181409\/report-202570-800x413.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>Spammers employed a similar tactic using Google Classroom. We identified samples offering SEO optimization services that likewise directed victims to a WhatsApp number for further communication.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118856\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571.png\" alt=\"\" width=\"1885\" height=\"991\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571-1024x538.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571-768x404.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571-1536x808.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571-666x350.png 666w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571-740x389.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571-533x280.png 533w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181442\/report-202571-800x421.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>We also detected the distribution of fraudulent links via legitimate YouTube notifications. Attackers would reply to user comments under various videos, triggering an automated email notification to the victim. This email contained a link to a video that displayed only a message urging the viewer to \u201ccheck the description\u201d, where the actual link to the scam site was located. As the victim received an email containing the full text of the fraudulent comment, they were often lured through this chain of links, eventually landing on the scam site.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118857\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572.png\" alt=\"\" width=\"1885\" height=\"991\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572-1024x538.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572-768x404.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572-1536x808.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572-666x350.png 666w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572-740x389.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572-533x280.png 533w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181522\/report-202572-800x421.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>Over the past two years or so, there has been a significant rise in <a href=\"https:\/\/www.kaspersky.com\/blog\/google-forms-scam\/53909\/\" target=\"_blank\" rel=\"noopener\">attacks utilizing Google Forms<\/a>. Fraudsters create a survey with an enticing title and place the scam messaging directly in the form\u2019s description. They then submit the form themselves, entering the victims\u2019 email addresses into the field for the respondent email. This triggers legitimate notifications from the Google Forms service to the targeted addresses. Because these emails originate from Google\u2019s own mail servers, they appear authentic to most spam filters. The attackers rely on the victim focusing on the \u201cbait\u201d description containing the fraudulent link rather than the standard form header.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118858\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573.png\" alt=\"\" width=\"1885\" height=\"986\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573-300x157.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573-1024x536.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573-768x402.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573-1536x803.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573-669x350.png 669w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573-740x387.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573-535x280.png 535w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181613\/report-202573-800x418.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>Google Groups also emerged as a popular tool for spam distribution last year. Scammers would create a group, add the victims\u2019 email addresses as members, and broadcast spam through the service. This scheme proved highly effective: even if a security solution blocked the initial spam message, the user could receive a deluge of automated replies from other addresses on the member list.<\/p>\n<p>At the end of 2025, we encountered a legitimate email in terms of technical metadata that was sent via Google and contained a fraudulent link. The message also included a verification code for the recipient\u2019s email address. To generate this notification, scammers filled out the account registration form in a way that diverted the recipient\u2019s attention toward a fraudulent site. For example, instead of entering a first and last name, the attackers inserted text such as \u201cPersonal Link\u201d followed by a phishing URL, utilizing noise contamination techniques. By entering the victim\u2019s email address into the registration field, the scammers triggered a legitimate system notification containing the fraudulent link.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118859\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574.png\" alt=\"\" width=\"1885\" height=\"992\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574-1024x539.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574-768x404.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574-1536x808.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574-665x350.png 665w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574-740x389.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574-532x280.png 532w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181657\/report-202574-800x421.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<h4 id=\"openai\">OpenAI<\/h4>\n<p>In addition to Google services, spammers leveraged other platforms to distribute email threats, notably OpenAI, riding the wave of artificial intelligence popularity. In 2025, we observed emails sent via the OpenAI platform into which spammers had injected short messages, fraudulent links, or phone numbers.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-118860\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575.png\" alt=\"\" width=\"1885\" height=\"984\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575.png 1885w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575-300x157.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575-1024x535.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575-768x401.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575-1536x802.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575-670x350.png 670w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575-740x386.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575-536x280.png 536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181736\/report-202575-800x418.png 800w\" sizes=\"auto, (max-width: 1885px) 100vw, 1885px\"><\/a><\/p>\n<p>This occurs during the account registration process on the OpenAI platform, where users are prompted to create an organization to generate an API key. Spammers placed their fraudulent content directly into the field designated for the organization\u2019s name. They then added the victims\u2019 email addresses as organization members, triggering automated platform invitations that delivered the fraudulent links or contact numbers directly to the targets.<\/p>\n<h2 id=\"spear-phishing-and-bec-attacks-in-2025\">Spear phishing and BEC attacks in 2025<\/h2>\n<h3 id=\"qr-codes\">QR codes<\/h3>\n<p>The use of QR codes in spear phishing has become a conventional tactic that threat actors continued to employ throughout 2025. Specifically, we observed the persistence of a major trend <a href=\"https:\/\/securelist.com\/spam-and-phishing-report-2024\/115536\/#Spear%20phishing%20in%202024\" target=\"_blank\" rel=\"noopener\">identified in our previous report<\/a>: the distribution of phishing documents disguised as notifications from a company\u2019s HR department.<\/p>\n<p>In these campaigns, attackers impersonated HR team members, requesting that employees review critical documentation, such as a new corporate policy or code of conduct. These documents were typically attached to the email as PDF files.<\/p>\n<div id=\"attachment_118861\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181841\/report-202576.jpeg\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118861\" class=\"size-full wp-image-118861\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181841\/report-202576.jpeg\" alt=\"Phishing notification about &quot;new corporate policies&quot;\" width=\"640\" height=\"905\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181841\/report-202576.jpeg 640w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181841\/report-202576-212x300.jpeg 212w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181841\/report-202576-248x350.jpeg 248w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181841\/report-202576-198x280.jpeg 198w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181841\/report-202576-636x900.jpeg 636w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\"><\/a><\/p>\n<p id=\"caption-attachment-118861\" class=\"wp-caption-text\">Phishing notification about \u201cnew corporate policies\u201d<\/p>\n<\/div>\n<p>To maintain the ruse, the PDF document contained a highly convincing call to action, prompting the user to scan a QR code to access the relevant file. While attackers previously <a href=\"https:\/\/securelist.com\/spam-phishing-report-2023\/112015\/#QR%20codes\" target=\"_blank\" rel=\"noopener\">embedded these codes directly into the body of the email<\/a>, last year saw a significant shift toward placing them within attachments \u2013 most likely in an attempt to bypass email security filters.<\/p>\n<div id=\"attachment_118862\" style=\"width: 1250px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181933\/report-202577.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118862\" class=\"size-full wp-image-118862\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181933\/report-202577.png\" alt=\"Malicious PDF content\" width=\"1240\" height=\"889\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181933\/report-202577.png 1240w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181933\/report-202577-300x215.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181933\/report-202577-1024x734.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181933\/report-202577-768x551.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181933\/report-202577-488x350.png 488w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181933\/report-202577-740x531.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181933\/report-202577-391x280.png 391w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10181933\/report-202577-800x574.png 800w\" sizes=\"auto, (max-width: 1240px) 100vw, 1240px\"><\/a><\/p>\n<p id=\"caption-attachment-118862\" class=\"wp-caption-text\">Malicious PDF content<\/p>\n<\/div>\n<p>Upon scanning the QR code within the attachment, the victim was redirected to a phishing page meticulously designed to mimic a Microsoft authentication form.<\/p>\n<div id=\"attachment_118863\" style=\"width: 615px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182014\/report-202578.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118863\" class=\"size-full wp-image-118863\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182014\/report-202578.png\" alt=\"Phishing page with an authentication form\" width=\"605\" height=\"1131\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182014\/report-202578.png 605w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182014\/report-202578-160x300.png 160w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182014\/report-202578-548x1024.png 548w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182014\/report-202578-187x350.png 187w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182014\/report-202578-535x1000.png 535w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182014\/report-202578-150x280.png 150w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182014\/report-202578-481x900.png 481w\" sizes=\"auto, (max-width: 605px) 100vw, 605px\"><\/a><\/p>\n<p id=\"caption-attachment-118863\" class=\"wp-caption-text\">Phishing page with an authentication form<\/p>\n<\/div>\n<p>In addition to fraudulent HR notifications, threat actors created scheduled meetings within the victim\u2019s email calendar, placing DOC or PDF files containing QR codes in the event descriptions. Leveraging calendar invites to distribute malicious links is a legacy technique that was widely observed during scam campaigns in 2019. After several years of relative dormancy, we saw a resurgence of this technique last year, now integrated into more sophisticated spear phishing operations.<\/p>\n<div id=\"attachment_118864\" style=\"width: 1291px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182052\/report-202579.jpeg\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118864\" class=\"size-full wp-image-118864\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182052\/report-202579.jpeg\" alt=\"Fake meeting invitation\" width=\"1281\" height=\"337\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182052\/report-202579.jpeg 1281w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182052\/report-202579-300x79.jpeg 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182052\/report-202579-1024x269.jpeg 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182052\/report-202579-768x202.jpeg 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182052\/report-202579-740x195.jpeg 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182052\/report-202579-1064x280.jpeg 1064w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182052\/report-202579-800x210.jpeg 800w\" sizes=\"auto, (max-width: 1281px) 100vw, 1281px\"><\/a><\/p>\n<p id=\"caption-attachment-118864\" class=\"wp-caption-text\">Fake meeting invitation<\/p>\n<\/div>\n<p>In one specific example, the attachment was presented as a \u201cnew voicemail\u201d notification. To listen to the recording, the user was prompted to scan a QR code and sign in to their account on the resulting page.<\/p>\n<div id=\"attachment_118865\" style=\"width: 760px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182133\/report-202580.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118865\" class=\"size-full wp-image-118865\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182133\/report-202580.png\" alt=\"Malicious attachment content\" width=\"750\" height=\"792\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182133\/report-202580.png 750w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182133\/report-202580-284x300.png 284w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182133\/report-202580-331x350.png 331w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182133\/report-202580-740x781.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182133\/report-202580-265x280.png 265w\" sizes=\"auto, (max-width: 750px) 100vw, 750px\"><\/a><\/p>\n<p id=\"caption-attachment-118865\" class=\"wp-caption-text\">Malicious attachment content<\/p>\n<\/div>\n<p>As in the previous scenario, scanning the code redirected the user to a phishing page, where they risked losing access to their Microsoft account or internal corporate sites.<\/p>\n<h3 id=\"link-protection-services\">Link protection services<\/h3>\n<p>Threat actors utilized more than just QR codes to hide phishing URLs and bypass security checks. In 2025, we discovered that fraudsters began weaponizing link protection services for the same purpose. The primary function of these services is to intercept and scan URLs at the moment of clicking to prevent users from reaching phishing sites or downloading malware. However, attackers are now abusing this technology by generating phishing links that security systems mistakenly categorize as \u201csafe\u201d.<\/p>\n<p>This technique is employed in both mass and spear phishing campaigns. It is particularly dangerous in targeted attacks, which often incorporate employees\u2019 personal data and mimic official corporate branding. When combined with these characteristics, a URL generated through a legitimate link protection service can significantly bolster the perceived authenticity of a phishing email.<\/p>\n<div id=\"attachment_118866\" style=\"width: 1450px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118866\" class=\"size-full wp-image-118866\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581.png\" alt=\"&quot;Protected&quot; link in a phishing email\" width=\"1440\" height=\"797\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581.png 1440w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581-300x166.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581-1024x567.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581-768x425.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581-270x150.png 270w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581-632x350.png 632w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581-740x410.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581-506x280.png 506w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182220\/report-202581-800x443.png 800w\" sizes=\"auto, (max-width: 1440px) 100vw, 1440px\"><\/a><\/p>\n<p id=\"caption-attachment-118866\" class=\"wp-caption-text\">\u201cProtected\u201d link in a phishing email<\/p>\n<\/div>\n<p>After opening a URL that seemed safe, the user was directed to a phishing site.<\/p>\n<div id=\"attachment_118867\" style=\"width: 760px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182256\/report-202582.jpeg\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118867\" class=\"size-full wp-image-118867\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182256\/report-202582.jpeg\" alt=\"Phishing page\" width=\"750\" height=\"571\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182256\/report-202582.jpeg 750w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182256\/report-202582-300x228.jpeg 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182256\/report-202582-460x350.jpeg 460w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182256\/report-202582-740x563.jpeg 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182256\/report-202582-368x280.jpeg 368w\" sizes=\"auto, (max-width: 750px) 100vw, 750px\"><\/a><\/p>\n<p id=\"caption-attachment-118867\" class=\"wp-caption-text\">Phishing page<\/p>\n<\/div>\n<h3 id=\"bec-and-fabricated-email-chains\">BEC and fabricated email chains<\/h3>\n<p>In Business Email Compromise (BEC) attacks, threat actors have also begun employing new techniques, the most notable of which is the use of fake forwarded messages.<\/p>\n<div id=\"attachment_118868\" style=\"width: 1450px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118868\" class=\"size-full wp-image-118868\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2.png\" alt=\"BEC email featuring a fabricated message thread\" width=\"1440\" height=\"1430\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2.png 1440w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2-300x298.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2-1024x1017.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2-150x150.png 150w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2-768x763.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2-352x350.png 352w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2-740x735.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2-282x280.png 282w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2-800x794.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182338\/report-202583-1_83-2-50x50.png 50w\" sizes=\"auto, (max-width: 1440px) 100vw, 1440px\"><\/a><\/p>\n<p id=\"caption-attachment-118868\" class=\"wp-caption-text\">BEC email featuring a fabricated message thread<\/p>\n<\/div>\n<p>This BEC attack unfolded as follows. An employee would receive an email containing a previous conversation between the sender and another colleague. The final message in this thread was typically an automated out-of-office reply or a request to hand off a specific task to a new assignee. In reality, however, the entire initial conversation with the colleague was completely fabricated. These messages lacked the thread-index headers, as well as other critical header values, that would typically verify the authenticity of an actual email chain.<\/p>\n<p>In the example at hand, the victim was pressured to urgently pay for a license using the provided banking details. The PDF attachments included wire transfer instructions and a counterfeit cover letter from the bank.<\/p>\n<div id=\"attachment_118869\" style=\"width: 850px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182426\/report-202584.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118869\" class=\"size-full wp-image-118869\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182426\/report-202584.png\" alt=\"Malicious PDF content\" width=\"840\" height=\"704\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182426\/report-202584.png 840w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182426\/report-202584-300x251.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182426\/report-202584-768x644.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182426\/report-202584-418x350.png 418w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182426\/report-202584-740x620.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182426\/report-202584-334x280.png 334w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182426\/report-202584-800x670.png 800w\" sizes=\"auto, (max-width: 840px) 100vw, 840px\"><\/a><\/p>\n<p id=\"caption-attachment-118869\" class=\"wp-caption-text\">Malicious PDF content<\/p>\n<\/div>\n<p>The bank does not actually have an office at the address provided in the documents.<\/p>\n<h2 id=\"statistics-phishing\">Statistics: phishing<\/h2>\n<p>In 2025, Kaspersky solutions blocked 554,002,207 attempts to follow fraudulent links. In contrast to the trends of previous years, we did not observe any major spikes in phishing activity; instead, the volume of attacks remained relatively stable throughout the year, with the exception of a minor decline in December.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/ybsOGvGD1qtOI7fCyZ2A\" data-type=\"interactive\" data-title=\"01-EN-Spam and phishing report charts\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>Anti-Phishing triggers, 2025 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182549\/01-en-spam-and-phishing-report-charts.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<p>The phishing and scam landscape underwent a shift. While in 2024, we saw a high volume of mass attacks, their frequency declined in 2025. Furthermore, redirection-based schemes, which were frequently used for online fraud in 2024, became less prevalent in 2025.<\/p>\n<h3 id=\"map-of-phishing-attacks\">Map of phishing attacks<\/h3>\n<p><a href=\"https:\/\/securelist.com\/spam-and-phishing-report-2024\/115536\/#Map%20of%20phishing%20attacks\" target=\"_blank\" rel=\"noopener\">As in the previous year<\/a>, Peru remains the country with the highest percentage (17.46%) of users targeted by phishing attacks. Bangladesh (16.98%) took second place, entering the TOP 10 for the first time, while Malawi (16.65%), which was absent from the 2024 rankings, was third. Following these are Tunisia (16.19%), Colombia (15.67%), the latter also being a newcomer to the TOP 10, Brazil (15.48%), and Ecuador (15.27%). They are followed closely by Madagascar and Kenya, both with a 15.23% share of attacked users. Rounding out the list is Vietnam, which previously held the third spot, with a share of 15.05%.<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Country\/territory<\/strong><\/td>\n<td><strong>Share of attacked users**<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Peru<\/td>\n<td>17.46%<\/td>\n<\/tr>\n<tr>\n<td>Bangladesh<\/td>\n<td>16.98%<\/td>\n<\/tr>\n<tr>\n<td>Malawi<\/td>\n<td>16.65%<\/td>\n<\/tr>\n<tr>\n<td>Tunisia<\/td>\n<td>16.19%<\/td>\n<\/tr>\n<tr>\n<td>Colombia<\/td>\n<td>15.67%<\/td>\n<\/tr>\n<tr>\n<td>Brazil<\/td>\n<td>15.48%<\/td>\n<\/tr>\n<tr>\n<td>Ecuador<\/td>\n<td>15.27%<\/td>\n<\/tr>\n<tr>\n<td>Madagascar<\/td>\n<td>15.23%<\/td>\n<\/tr>\n<tr>\n<td>Kenya<\/td>\n<td>15.23%<\/td>\n<\/tr>\n<tr>\n<td>Vietnam<\/td>\n<td>15.05%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>** Share of users who encountered phishing out of the total number of Kaspersky users in the country\/territory, 2025<\/em><\/p>\n<h3 id=\"top-level-domains\">Top-level domains<\/h3>\n<p>In 2025, breaking a trend that had persisted for several years, the majority of phishing pages were hosted within the XYZ TLD zone, accounting for 21.64% \u2013 a three-fold increase compared to 2024. The second most popular zone was TOP (15.45%), followed by BUZZ (13.58%). This high demand can be attributed to the low cost of domain registration in these zones. The COM domain, which had previously held the top spot consistently, fell to fourth place (10.52%). It is important to note that this decline is partially driven by the popularity of typosquatting attacks: threat actors frequently spoof sites within the COM domain by using alternative suffixes, such as example-com.site instead of example.com. Following COM is the BOND TLD, entering the TOP 10 for the first time with a 5.56% share. As this zone is typically associated with financial websites, the surge in malicious interest there is a logical progression for financial phishing. The sixth and seventh positions are held by ONLINE (3.39%) and SITE (2.02%), which occupied the fourth and fifth spots, respectively, in 2024. In addition, three domain zones that had not previously appeared in our statistics emerged as popular hosting environments for phishing sites. These included the CFD domain (1.97%), typically used for websites in the clothing, fashion, and design sectors; the Polish national top-level domain, PL (1.75%); and the LOL domain (1.60%).<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/FdOKK5T2dEvWjV7hZl3l\" data-type=\"interactive\" data-title=\"02-EN-Spam and phishing report charts\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>Most frequent top-level domains for phishing pages, 2025 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182723\/02-en-spam-and-phishing-report-charts.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<h3 id=\"organizations-targeted-by-phishing-attacks\">Organizations targeted by phishing attacks<\/h3>\n<p><em>The rankings of organizations targeted by phishers are based on detections by the Anti-Phishing deterministic component on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.<\/em><\/p>\n<p>Phishing pages impersonating web services (27.42%) and global internet portals (15.89%) maintained their positions in the TOP 10, continuing to rank first and second, respectively. Online stores (11.27%), a traditional favorite among threat actors, returned to the third spot. In 2025, phishers showed increased interest in online gamers: websites mimicking gaming platforms jumped from ninth to fifth place (7.58%). These are followed by banks (6.06%), payment systems (5.93%), messengers (5.70%), and delivery services (5.06%). Phishing attacks also targeted social media (4.42%) and government services (1.77%) accounts.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/DzfrLdjG3svjxdQIyM9l\" data-type=\"interactive\" data-title=\"03-EN-Spam and phishing report charts\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>Distribution of targeted organizations by category, 2025 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10182850\/03-en-spam-and-phishing-report-charts.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<h2 id=\"statistics-spam\">Statistics: spam<\/h2>\n<h3 id=\"share-of-spam-in-email-traffic\">Share of spam in email traffic<\/h3>\n<p>In 2025, the average share of spam in global email traffic was 44.99%, representing a decrease of 2.28 percentage points compared to the previous year. Notably, contrary to the trends of the past several years, the fourth quarter was the busiest one: an average of 49.26% of emails were categorized as spam, with peak activity occurring in November (52.87%) and December (51.80%). Throughout the rest of the year, the distribution of junk mail remained relatively stable without significant spikes, maintaining an average share of approximately 43.50%.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/F8NNfL7BQ5xQmBoQvQ9v\" data-type=\"interactive\" data-title=\"04-EN-Spam and phishing report charts\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>Share of spam in global email traffic, 2025 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10183009\/04-en-spam-and-phishing-report-charts.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<p>In the Russian web segment (Runet), we observed a more substantial decline: the average share of spam decreased by 5.3 percentage points to 43.27%. Deviating from the global trend, the fourth quarter was the quietest period in Russia, with a share of 41.28%. We recorded the lowest level of spam activity in December, when only 36.49% of emails were identified as junk. January and February were also relatively calm, with average values of 41.94% and 43.09%, respectively. Conversely, the Runet figures for March\u2013October correlated with global figures: no major surges were observed, spam accounting for an average of 44.30% of total email traffic during these months.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/0MuDttqkpFBugFlSb7DE\" data-type=\"interactive\" data-title=\"05-EN-Spam and phishing report charts\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>Share of spam in Runet email traffic, 2025 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10183130\/05-en-spam-and-phishing-report-charts.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<h3 id=\"countries-and-territories-where-spam-originated\">Countries and territories where spam originated<\/h3>\n<p>The top three countries in the 2025 rankings for the volume of outgoing spam mirror the distribution of the previous year: Russia, China, and the United States. However, the share of spam originating from Russia decreased from 36.18% to 32.50%, while the shares of China (19.10%) and the U.S. (10.57%) each increased by approximately 2 percentage points. Germany rose to fourth place (3.46%), up from sixth last year, displacing Kazakhstan (2.89%). Hong Kong followed in sixth place (2.11%). The Netherlands and Japan shared the next spot with identical shares of 1.95%; however, we observed a year-over-year increase in outgoing spam from the Netherlands, whereas Japan saw a decline. The TOP 10 is rounded out by Brazil (1.94%) and Belarus (1.74%), the latter ranking for the first time.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/YJC3LheB6N5uir4y6LLA\" data-type=\"interactive\" data-title=\"06-EN-Spam and phishing report charts\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>TOP 20 countries and territories where spam originated in 2025 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10183246\/06-en-spam-and-phishing-report-charts-1.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<h3 id=\"malicious-email-attachments\">Malicious email attachments<\/h3>\n<p>In 2025, Kaspersky solutions blocked 144,722,674 malicious email attachments, an increase of nineteen million compared to the previous year. The beginning and end of the year were traditionally the most stable periods; however, we also observed a notable decline in activity during August and September. Peaks in email antivirus detections occurred in June, July, and November.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/CPc8U6jU9w3tkXT7WGLp\" data-type=\"interactive\" data-title=\"07-EN-Spam and phishing report charts\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>Email antivirus detections, 2025 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10183404\/07-en-spam-and-phishing-report-charts.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<p>The most prevalent malicious email attachment in 2025 was the <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Trojan.Win32.Makoob.gen\/\" target=\"_blank\" rel=\"noopener\">Makoob<\/a> Trojan family, which covertly harvests system information and user credentials. Makoob first entered the TOP 10 in 2023 in eighth place, rose to third in 2024, and secured the top spot in 2025 with a share of 4.88%. Following Makoob, as in the previous year, was the <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Trojan.Win32.Badun\/\" target=\"_blank\" rel=\"noopener\">Badun<\/a> Trojan family (4.13%), which typically disguises itself as electronic documents. The third spot is held by the <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Trojan.MSIL.Taskun\/\" target=\"_blank\" rel=\"noopener\">Taskun<\/a> family (3.68%), which creates malicious scheduled tasks, followed by <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Trojan-PSW.MSIL.Agensla\/\" target=\"_blank\" rel=\"noopener\">Agensla<\/a> stealers (3.16%), which were the most common malicious attachments in 2024. Next are <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Trojan.Win32.AutoItScript\/\" target=\"_blank\" rel=\"noopener\">Trojan.Win32.AutoItScript<\/a> scripts (2.88%), appearing in the rankings for the first time. In sixth place is the Noon spyware <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Trojan-Spy.MSIL.Noon\/\" target=\"_blank\" rel=\"noopener\">for all Windows systems<\/a> (2.63%), which also occupied the tenth spot with its variant <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Trojan-Spy.Win32.Noon\/\" target=\"_blank\" rel=\"noopener\">specifically targeting 32-bit systems<\/a> (1.10%). Rounding out the TOP 10 are <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Hoax.HTML.Phish\/\" target=\"_blank\" rel=\"noopener\">Hoax.HTML.Phish<\/a> (1.98%) phishing attachments, <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Trojan.Win32.Guloader\/\" target=\"_blank\" rel=\"noopener\">Guloader<\/a> downloaders (1.90%) \u2013 a newcomer to the rankings \u2013 and <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Trojan.PDF.Badur\/\" target=\"_blank\" rel=\"noopener\">Badur<\/a> (1.56%) PDF documents containing suspicious links.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/Iiu0qCpY4QnbGp6Vc2pA\" data-type=\"interactive\" data-title=\"08-EN PT-BR ES-MX Spam and phishing report charts\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>TOP 10 malware families distributed via email attachments, 2025 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10183623\/08-en-pt-br-es-mx-spam-and-phishing-report-charts-1.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<p>The distribution of specific malware samples traditionally mirrors the distribution of malware families almost exactly. The only differences are that a specific variant of the Agensla stealer ranked sixth instead of fourth (2.53%), and the Phish and Guloader samples swapped positions (1.58% and 1.78%, respectively). Rounding out the rankings in tenth place is the password stealer <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/HEUR:Trojan-PSW.MSIL.PureLogs.gen\/\" target=\"_blank\" rel=\"noopener\">Trojan-PSW.MSIL.PureLogs.gen<\/a> with a share of 1.02%.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/VwTlEUsmkOTrUOI7ap86\" data-type=\"interactive\" data-title=\"09-EN PT-BR ES-MX Spam and phishing report charts\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>TOP 10 malware samples distributed via email attachments, 2025 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10183746\/09-en-pt-br-es-mx-spam-and-phishing-report-charts-1.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<h3 id=\"countries-and-territories-targeted-by-malicious-mailings\">Countries and territories targeted by malicious mailings<\/h3>\n<p>The highest volume of malicious email attachments was blocked on devices belonging to users in China (13.74%). For the first time in two years, Russia dropped to second place with a share of 11.18%. Following closely behind are Mexico (8.18%) and Spain (7.70%), which swapped places compared to the previous year. Email antivirus triggers saw a slight increase in T\u00fcrkiye (5.19%), which maintained its fifth-place position. Sixth and seventh places are held by Vietnam (4.14%) and Malaysia (3.70%); both countries climbed higher in the TOP 10 due to an increase in detection shares. These are followed by the UAE (3.12%), which held its position from the previous year. Italy (2.43%) and Colombia (2.07%) also entered the TOP 10 list of targets for malicious mailshots.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/1uQP0ERdXsZCVwrml6oH\" data-type=\"interactive\" data-title=\"10-EN-Spam and phishing report charts\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>TOP 20 countries and territories targeted by malicious mailshots, 2025 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/10183903\/10-en-spam-and-phishing-report-charts-1.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>2026 will undoubtedly be marked by novel methods of exploiting artificial intelligence capabilities. At the same time, messaging app credentials will remain a highly sought-after prize for threat actors. While new schemes are certain to emerge, they will likely supplement rather than replace time-tested tricks and tactics. This underscores the reality that, alongside the deployment of robust security software, users must remain vigilant and exercise extreme caution toward any online offers that raise even the slightest suspicion.<\/p>\n<p>The intensified focus on government service credentials signals a rise in potential impact; unauthorized access to these services can lead to financial theft, data breaches, and full-scale identity theft. Furthermore, the increased abuse of legitimate tools and the rise of multi-stage attacks \u2013 which often begin with seemingly harmless files or links \u2013 demonstrate a concerted effort by fraudsters to lull users into a false sense of security while pursuing their malicious objectives.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The year in figures 99% of all emails sent worldwide and 43.27% of all emails sent in the Russian web segment were spam 50% of all spam emails were sent from Russia Kaspersky Mail Anti-Virus blocked 144,722,674 malicious email attachments Our Anti-Phishing system thwarted 554,002,207 attempts to follow phishing links Phishing and scams in 2025 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[4,90,630,226,628,94,631,222,623,625,626,624,250,230,253,627,629],"tags":[91],"class_list":["post-1222","post","type-post","status-publish","format-standard","hentry","category-ai","category-cybersecurity","category-malicious-spam","category-money-theft","category-nigerian-spam","category-phishing","category-phishing-websites","category-spam-and-phishing","category-spam-and-phishing-reports","category-spam-letters","category-spam-statistics","category-spammer-techniques","category-spear-phishing","category-telegram","category-thematic-phishing","category-thematic-spam","category-whatsapp","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Spam and phishing in 2025 - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Spam and phishing in 2025 - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"The year in figures 99% of all emails sent worldwide and 43.27% of all emails sent in the Russian web segment were spam 50% of all spam emails were sent from Russia Kaspersky Mail Anti-Virus blocked 144,722,674 malicious email attachments Our Anti-Phishing system thwarted 554,002,207 attempts to follow phishing links Phishing and scams in 2025 [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-11T10:06:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"34 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Spam and phishing in 2025\",\"datePublished\":\"2026-02-11T10:06:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/\"},\"wordCount\":6882,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"AI\",\"Cybersecurity\",\"Malicious spam\",\"Money theft\",\"Nigerian Spam\",\"Phishing\",\"Phishing websites\",\"Spam and phishing\",\"Spam and phishing reports\",\"Spam Letters\",\"Spam Statistics\",\"Spammer techniques\",\"Spear phishing\",\"Telegram\",\"Thematic phishing\",\"Thematic spam\",\"WhatsApp\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/\",\"name\":\"Spam and phishing in 2025 - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg\",\"datePublished\":\"2026-02-11T10:06:08+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Spam and phishing in 2025\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Spam and phishing in 2025 - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/","og_locale":"en_US","og_type":"article","og_title":"Spam and phishing in 2025 - Imperative Business Ventures Limited","og_description":"The year in figures 99% of all emails sent worldwide and 43.27% of all emails sent in the Russian web segment were spam 50% of all spam emails were sent from Russia Kaspersky Mail Anti-Virus blocked 144,722,674 malicious email attachments Our Anti-Phishing system thwarted 554,002,207 attempts to follow phishing links Phishing and scams in 2025 [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-02-11T10:06:08+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"34 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Spam and phishing in 2025","datePublished":"2026-02-11T10:06:08+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/"},"wordCount":6882,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["AI","Cybersecurity","Malicious spam","Money theft","Nigerian Spam","Phishing","Phishing websites","Spam and phishing","Spam and phishing reports","Spam Letters","Spam Statistics","Spammer techniques","Spear phishing","Telegram","Thematic phishing","Thematic spam","WhatsApp"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/","name":"Spam and phishing in 2025 - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg","datePublished":"2026-02-11T10:06:08+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/11095049\/spam-and-phishing-2025-featured-scaled-1-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/spam-and-phishing-in-2025\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Spam and phishing in 2025"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=1222"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1222\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=1222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=1222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=1222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}