VIPRE report reveals 90% of emails in 2024 were spam

VIPRE Security Group has released its annual email threat landscape report, highlighting key trends in email-based cyberattacks and projecting threats for 2025.

The report, titled "Email Security in 2025: What to Expect from the Evolving Email Threat Landscape", is based on an analysis of 7.2 billion emails processed globally in 2024. The significant finding indicates that over 90% of these emails were categorised as spam, with the United States and the United Kingdom leading this list.

According to the report, a substantial portion of spam emails, specifically 37%, fell into the commercial category, while scam and phishing categories accounted for 32% and 21% respectively. The report also highlighted that countries considered among the most trusted, including Switzerland, Sweden, and Norway, featured prominently in the list of top spam senders.

Regarding malware, all instances encountered were Windows-based, including types such as Stealc, Lumma, and AgentTesla. The report noted an increase in infostealers and remote access trojans (RATs) during the last quarter of 2024, which are primarily used to spy on victims and gather sensitive information.

Phishing continues to be a preferred method for cybercriminals, with 70% using links as the primary tactic. Attachments constituted 25%, while the use of QR codes, though lower at 5%, experienced a peak usage of 12% in the fourth quarter of 2024. URL redirection was identified as the most employed phishing tactic, followed by compromised websites and newly created domains.

Business email compromise (BEC) also stands out in the report as a prevalent social engineering strategy. The tactic of impersonation was noted in 88% of BEC cases, with executive positions like CEOs frequently targeted. The report indicates that this type of scam remains effective despite advancements in security software.

The manufacturing sector emerged as the most targeted industry for email attacks, accounting for 32% of such activities. Other affected sectors included energy, retail, health, and government. Microsoft continued to be the most spoofed brand, followed by DocuSign, Apple, and Google.

Usman Choudhary, Chief Product and Technology Officer of VIPRE Security Group, commented on the findings, "This annual email landscape analysis provides valuable insight into the cybersecurity threats that will challenge businesses in 2025. To counter the increasingly automated and AI-enhanced email-based threats, organisations need to implement robust email security technologies and foster a culture of highly vigilant security awareness among employees, in equal measure. This dual approach presents the most realistic and effective approach to surmount the ever-advancing and difficult-to-spot email-based threats."

VIPRE's report predicts several threats that will persist in 2025, including the use of QR codes for phishing, the expansion of infostealers, and the rising use of deepfakes and synthetic media for email attacks. Additionally, AI-driven phishing and social engineering attacks, as well as BEC scams, will continue to pose significant challenges.

This analysis forms part of VIPRE's continuous research effort, utilising data from real-world email traffic to provide insights into current enterprise email usage and behaviours. Such intelligence aims to help businesses understand and protect against email security threats effectively.