Phishing attacks have evolved into a commercial enterprise, lowering barriers to entry and overwhelming defences, according to Sopra Steria’s new State of Cybersecurity report.
Phishing is no longer a matter of opportunistic deception – it is an industrialised business model. With the advent of Phishing-as-a-Service (PhaaS), the tools required to impersonate, manipulate and exploit are now available to the highest bidder, or indeed, to anyone with an internet connection and a few euros to spare.
Sopra Steria’s State of Cybersecurity 2025 report finds that phishing was the leading attack vector in 2024, implicated in nearly 60% of all network intrusions. What is new is not just the frequency of these attacks, but the ecosystem behind them. PhaaS platforms offer ready-made phishing kits, pre-registered domains, automation tools and even technical support – essentially packaging cybercrime into a subscription-based service.
The commercialisation of phishing has democratised cybercrime. Threat actors no longer need coding skills or advanced infrastructure to execute large-scale attacks. With low barriers to entry, more actors are joining the fray, intensifying the volume, reach and sophistication of phishing campaigns.
This shift has significant implications for enterprise security. Phishing emails now come embedded with multi-layered evasion techniques, including HTML smuggling, encrypted ZIP payloads, and reverse proxy capabilities that can bypass even multi-factor authentication (MFA). Traditional perimeter-based security measures are increasingly inadequate.
Phishing goes multichannel
One of the most alarming trends identified in the report is the rise of multichannel phishing. No longer limited to email, campaigns now span SMS, voice calls and messaging apps. Threat actors often impersonate IT support teams or trusted partners, deploying tactics such as spoofed domains, cloned login portals, and real-time AiTM (adversary-in-the-middle) proxies to intercept credentials.
The sophistication of these attacks has been amplified by the widespread use of Phishing-as-a-Service kits. For example, platforms like Evilginx and Tycoon provide detailed guides and dashboards that allow attackers to craft campaigns targeting specific industries, job roles or even individuals. This level of precision was once reserved for state-backed operations.
Moreover, phishing operators are exploiting real-time social media updates to improve timing and plausibility. Fake recruiter profiles on LinkedIn, AI-generated resumes and targeted messages aligned with job changes or promotions are increasingly common.
Crucially, these attacks are no longer just about email compromise – they are about persistent access. Once inside, attackers use compromised accounts to move laterally, exfiltrate data, or deploy additional malware. In many cases, they create forwarding rules, register new devices or manipulate MFA settings to maintain long-term access.
The risk profile is not limited to the IT department. Executives, finance teams and HR personnel are prime targets, given their access to sensitive data and authority over critical transactions. This reality demands a broader cultural and procedural shift in how organisations think about phishing.
Rethinking corporate resilience
To counter the professionalisation of phishing, businesses must adopt equally mature defensive postures. This begins with implementing phishing-resistant MFA – such as hardware-based tokens or certificate-based authentication – which significantly raises the cost and complexity of AiTM attacks.
Awareness training, once relegated to annual compliance exercises, must become continuous and contextual. Simulated phishing exercises tailored to specific roles and current threats can dramatically improve response rates and reduce successful compromises.
Technological investment is equally crucial. Endpoint Detection and Response (EDR) tools, cloud-native email security solutions and real-time behavioural analytics provide vital capabilities to detect and disrupt advanced phishing operations.
Beyond technology, organisations must also rethink their incident response. Modern phishing attacks often unfold over days or weeks. The ability to detect unusual inbox rules, lateral movement and anomalous device registrations in real time is now a baseline requirement, not a luxury.
Board-level engagement is critical. As phishing matures into a systemic business risk, responsibility for resilience cannot be delegated solely to IT. Executive teams must be equipped to understand the threat landscape and fund adequate countermeasures.
An arms race unfolds
The commoditisation of phishing is reshaping the economics of cybercrime. With low entry costs and high potential rewards, the scale and scope of attacks will continue to expand. The burden on defenders, meanwhile, is intensifying – requiring a fusion of technology, training and strategy.
Organisations must treat phishing not as a single threat but as a persistent, evolving challenge that demands coordinated response and sustained investment. The days of viewing phishing as a nuisance are over. It is now a fully-fledged industry – one that thrives on speed, automation and human fallibility.
As threat actors become more agile and commercialised, corporate defenders must match that agility with intelligence-led, adaptive security frameworks. Anything less is an open invitation to compromise.
Read the full report here