This week, hundreds of thousands of spearphishing campaigns were launched. This week’s targets were anyone and everyone. Disseminated messages were configured with requests to visit links to malicious websites, provide Docusign signatures, and initiate bitcoin transfers for astronomically priced antivirus solutions. Summarily, it was business as usual.
Spearphishing as a malicious technique has been around since the early to mid-200’s. What new and innovative method is being used in 2025? None. That’s right. The method of attack is exactly the same as always: Compose email message. Insert evil content. Hit send. At this point, it’s very unlikely that there is anyone who hasn’t received an email (or a thousand of them) attempting to lure them into clicking, paying or providing personally identifiable information.
What does this have to do with businesses? They’re normally run by employees who use organizational email accounts to conduct the work that generates earnings. Invariably, employee email addresses are going to be added to the “definitely spearphish this one” list. When this happens and an employee clicks, the business can easily be negatively impacted. When the dreaded click occurs, it will become readily apparent if (1) the company’s cybersecurity tools are correctly configured and (2) their Information Technology staffed is properly trained to react when things go wrong. This scenario is one of many reasons organizations should assess their collective cybersecurity posture at least annually. It’s also critical to implement continuous monitoring tools and processes to regularly assess compliance with both security controls and vulnerability remediation.
It’s not all the responsibility of the IT staff. User education is one of the most critical yet often overlooked elements. Network users from the executive level all the way down to the mailroom need to be shown “what right looks like”. They need regular and recurring training on spotting suspicious emails, requests for action, and links. As has been said many times over, users are the first line of defense. An additional layer of security and excellent way to test user awareness is via the use of phishing test software, such as Huntress, TitanHQ, Gophish or a myriad of other similar offerings.
Beyond the user’s keyboard, it falls on the organization’s leadership to ensure IT and Cybersecurity staff are empowered to do their jobs. This comes in two forms. Staff must have the tools they need. This equates to putting funding where it’s needed. It doesn’t matter how great the organization’s products services are, if the employees can’t get on the network or the customer can’t access the website.
The second aspect of empowerment comes in the form of IT and Cybersecurity staff having the authority to do their jobs. If a computer isn’t compliant with the most recent operating system and application updates, it has to be quarantined until vulnerabilities are remediated. If IPS administrators aren’t authorized to block newly identified suspicious traffic “on the fly” or system admins aren’t allowed to immediately push out fixes to address zero day vulnerabilities, technical staff may as well be sent home.
When it comes to the 2025 Spearphishing Season, it’s business as usual for cybersecurity professionals. And as long as organizations recognize the importance of supporting their IT departments and training their users, it can stay business as usual on the front end as well.