This article was written and contributed by, Proofpoint.
Proofpoint's new Human Factor report series is a fresh take on how we share insights about the threat landscape. Instead of long, technical reports, this year we've shortened them to make them more actionable. Each volume focuses on a specific threat tactic along with key trends and cybercriminal behaviors, which are observed across Proofpoint's global threat intelligence and backed by data from more than 3.5 billion emails analyzed daily.
In Human Factor, Vol. 1, our globally-recognized threat intelligence experts broke down emerging trends focused on social engineering. In this next edition, Human Factor, Vol. 2, Proofpoint delivers insights about phishing and malicious URLs.
A diversified phishing playbook
Phishing is a form of social engineering in which attackers deceive users into clicking malicious links, downloading harmful files, or handing over sensitive information. Unlike pure social engineering, it's activated by a click. While the core mechanics haven't changed, the delivery methods and payloads have evolved dramatically.
For this report, our researchers tracked the scale, sophistication, and delivery methods that cybercriminals are using when it comes to URL-based threats. What they found is that attackers are diversifying, and it's working. They also observed that attackers are increasingly focused on using malicious links over traditional file-based payloads. And threats are further expanding into mobile and hybrid threat vectors like SMS-based phishing ("smishing") and QR code phishing.
Key takeaways from the report
- URLs are used 4x more often than attachments in malicious emails
- ClickFix URL-based malware campaigns increased nearly 400% year over year
- Approximately 34% of URL-based malware campaigns delivered remote access software
- At least 55% of suspected smishing messages contained malicious URLs
- There were 4.2 million QR code threats identified by Proofpoint in the first half of 2025
Conclusion
Phishing isn't just in email anymore, and malware isn't just in attachments. In spite of thorough awareness training programs and email security investments, phishing remains one of the most persistent and successful attack vectors. That's because it preys on human instinct, not just technical vulnerabilities. And it isn't just a nuisance—it's the front door to data breaches, ransomware attacks, and large-scale fraud.
Our report findings underscore how urgent it is for organizations to reinforce their protections against malicious URLs. It's also important for them to adapt their defenses to stop multichannel phishing tactics that extend beyond the inbox.