Phishing attacks tend to peak at the end of each year as criminals exploit seasonal pressure and distracted staff to increase the intensity of their campaigns. In 2025, the threat is increasing once again – only this time, AI-generated phishing has moved from a niche tactic to an everyday tool for cyber criminals.
This article explains why “phishing season” matters, the trends expected this year and the steps organisations can take to harden their defences.
Why phishing peaks at this time of year
Phishing activity always rises sharply in Q4. The pattern is consistent across recent breach surveys and confirmed by incident response teams.
Common drivers include:
- Increased financial activity
Payroll updates, tax deadlines and year-end reconciliations create opportunities for credible finance-themed scams. - Staff turnover and reduced oversight
Seasonal leave and temporary cover weaken internal controls. - Distraction and fatigue
Employees are more likely to act quickly and are less likely to scrutinise unexpected emails or messages. - Automation gaps
End-of-year system changes, new suppliers and rushed approvals give criminals more entry points.
As a result, these months see the highest concentration of credential harvesting, invoice fraud and business email compromise attempts.
Can you spot a phishing email?
Read our blog How to Spot a Phishing Email in 2025 – with Real Examples and Red Flags and take our free phishing quiz to see if you can spot a phishing email.
Emerging phishing trends for 2025
Phishing is no longer defined by crude templates or obvious errors. AI has made it easy to scale personalised attacks at low cost.
Key trends include:
- AI-generated spear phishing
Attackers use generative AI to write plausible, context-specific messages that mimic internal communication styles. - Voice phishing (vishing) powered by cloned audio
Deepfake voice models allow attackers to impersonate senior staff in real-time. - Deepfake emails and cloned websites
Criminals can now generate entire email chains and realistic web pages that replicate branding, tone and layout. - Social engineering through LinkedIn and third-party platforms and tools
Attackers target staff through recruitment messages, file-sharing requests or meeting invitations on Teams, Slack or Zoom. - Automated reconnaissance
Criminals scrape organisational charts, supplier lists and job postings to craft highly credible pretexts.
These methods increase both click-through rates and the likelihood that users will enter credentials or authorise fraudulent actions.
What recent data shows
Recent statistics underline the scale of the problem:
- 37% of UK businesses reported a phishing attack in 2025 (Cyber Security Breaches Survey 2025).
- Phishing remained the primary attack method, affecting about 85% of businesses (Cyber Security Breaches Survey 2025).
- For those that experienced an attack, phishing was the most disruptive vector for around 61% of businesses in 2024 (Cyber Security Breaches Survey 2025).
- Globally, the average cost of a phishing-related breach is estimated at US$4.88 million in 2025 (DeepStrike).
- About 91% of phishing attempts are delivered via email (IdentityTheft.org).
- Phishing simulation data shows over 2.5 million user clicks across 50 million simulations in 2025 (Hoxhunt).
These figures reflect a familiar pattern: attackers focus on users because they remain the most reliable entry point into an organisation.
Real-world effects
The regulatory consequences can be severe. A phishing-related breach can result in breaches of the GDPR (General Data Protection Regulation) and NIS (Network and Information Security) Regulations 2018. These can lead to investigations, enforcement and significant financial penalties.
For many organisations, disruption to operations and loss of trust far outweigh the direct costs.
How to defend your organisation
No single control will stop phishing. A layered approach is required, including:
- Regular penetration testing
Testing shows how attackers could exploit weak controls, outdated systems or poor credential hygiene. A phishing-focused penetration test provides clear evidence of exposure and remediation priorities.
- Phishing simulations
Simulations help measure staff behaviour under realistic conditions. They provide a safe environment to understand which users are at risk and which attack types succeed most often.
- Employee awareness training
Training should be short, regular and focused on practical recognition skills. Users need to understand common pretexts, modern attack patterns and how criminals exploit AI tools.
- Incident response readiness
Clear internal reporting lines and a tested response plan help reduce the impact of successful attacks. This includes procedures for isolating compromised accounts, managing communications and reporting incidents under the GDPR or NIS Regulations.
A mature phishing defence combines technical controls, staff competence and regular assurance testing.
Stay ahead of phishing season
Phishing will continue to evolve as criminals adopt new AI-driven tools. Organisations that test their defences now will be better prepared for the peak attack season.
Contact us today for a penetration test and identify your phishing vulnerabilities before the attackers do.
The post Phishing Season 2025: How AI is Supercharging Cyber Crime appeared first on IT Governance Blog.
