Cybercriminals increasingly favor malicious URLs over attachments, as they are easier to disguise and more likely to evade detection, according to the latest report from Proofpoint.
These links are embedded in messages, buttons, and even inside attachments like PDFs or Word documents to entice clicks that initiate credential phishing or malware downloads.
Credential phishing remains the most common goal for attackers, with 3.7 billion URL-based attacks aimed at stealing logins. Attackers are overwhelmingly focused on stealing login credentials rather than distributing malware. Phishing lures impersonate trusted brands and use off-the-shelf tools so even low-skilled actors can deploy highly convincing campaigns that bypass multi-factor authentication and can lead to full account takeover.
The report also finds a 400 percent year-on-year increase in ‘ClickFix’ malware campaigns. This is a phishing technique that lures users into running malicious code by displaying fake error messages or CAPTCHA screens. By exploiting the urge to resolve a perceived technical issue, this method has quickly become a go-to tactic for malware operators, helping them spread remote access trojans (RATs), infostealers, and loaders.
In addition there were over 4.2 million QR code phishing threats in the first half of 2025 alone. QR code-based attacks remove users from enterprise protection by targeting personal mobile devices.
Smishing campaigns have seen a jump too and at least 55 percent of suspected SMS-based phishing messages analyzed by Proofpoint contained malicious URLs.
“The most damaging cyber threats today don’t target machines or systems. They target people. In addition, URL-based phishing threats are no longer confined to the inbox, they can be carried out anywhere and are often extremely difficult for people to identify,” says Selena Larson, senior threat intelligence analyst at Proofpoint. “From QR codes in emails and fake CAPTCHA pages to mobile-first smishing scams, attackers are weaponizing trusted platforms and familiar experiences to exploit human psychology. Defending against these threats requires multilayered, AI-powered detection and a human-centric security strategy.”
You can get the full report from the Proofpoint site.
Image credit: BrianAJackson/depositphotos.com
