Cybercriminals are betting big on phishing… and it’s paying off.
Last year saw 3.7 billion malicious links targeting logins, while ClickFix campaigns surged nearly 400%, signaling a dangerous shift in attacker strategy, according to a new report by Proofpoint. Security experts warn that if this trend continues, phishing could eclipse other cyberattack methods entirely in the years ahead.
“ClickFix reminds us: the weakest link isn’t email,” said Ken Underhill, a cybersecurity professional at TechnologyAdvice. “It’s human behavior at the keyboard.”
ClickFix drives a new era of social engineering
Proofpoint’s Human Factor 2025 Vol. 2 report shows how phishing has evolved from clumsy scams into one of the most effective tools in a criminal’s arsenal. The ClickFix technique, which prompts users to grant access or fix a supposed issue by clicking a fraudulent link, has gained explosive traction over the past year.
Between May 2024 and May 2025, the volume of phishing URLs tied to ClickFix almost quadrupled. The greatest spike came in early 2025, when activity accelerated rapidly. This surge reflects a broader trend: attackers are shifting away from technical exploits and malware-heavy attachments, instead favoring social engineering at scale — exploiting trust and urgency to bypass defenses.
Alongside ClickFix, researchers also pointed to the rise of “quishing,” a phishing technique that embeds QR codes into emails or documents. By scanning the code, users are redirected to malicious sites designed to steal credentials. Proofpoint noted that quishing has steadily grown as attackers look for new ways to dodge email filters and exploit human curiosity.
Credentials first, malware second
The overwhelming majority of phishing campaigns, around 3.7 billion URLs in the past year, were aimed at stealing usernames and passwords. In contrast, only 8.3 million links attempted to deliver malware payloads. The disparity highlights how stolen credentials have become a more reliable entry point for attackers.
When malware was delivered, remote-access tools were the top choice, appearing in about one-third of observed cases. Keyloggers and infostealers followed, designed to siphon sensitive information and maintain persistence within compromised systems. Together, these tactics show that while malware is still part of the threat landscape, criminals increasingly see phishing for credentials as the fastest route to profit.
What it means for defenders
The spike in ClickFix phishing underscores a sobering reality: the inbox is now the frontline of cybersecurity. Attackers don’t need zero-day exploits or advanced malware when a convincing link can achieve the same result.
To protect against this shift, organizations should focus on layered defenses:
- Advanced email filtering
- URL scanning
- Multifactor authentication
- Strong password policies
Just as critical is ongoing employee training to help staff recognize deceptive tactics before a single click can trigger a breach.
As phishing continues to evolve, the lesson is clear: technology alone won’t stop these attacks. Building a security-aware workforce may be the most important defense of all.
“Resilience against ClickFix comes from layered defenses — technology, processes, and people working together,” Underhill said.
Want to better protect your logins against phishing and credential theft? Check out our guide to the six best password managers for small businesses.