Bethany Alvaro 
New research has uncovered that 90 per cent of phishing campaigns in 2025 utilised phishing-as-a-service (PhaaS) kits, making it easier for criminal start-ups and less-established cyber criminals to use advanced methods of scamming.
Barracuda revealed this week that the well-known Mamba 2FA phishing kit made up nearly 10 million attacks alone.
The investigation found that PhaaS kits doubled in the past year, with groups like Whisper 2FA and GhostFrame being some of the “aggressive newcomers” continuing the evolution of phishing-based scams and hacks.
Barracuda’s research revealed that multifactor authentication (MFA) bypass, URL obfuscation, and Captcha abuse were used in nearly half of all attacks (43 to 48 per cent).
Techniques used to confuse security software and tools, such as malicious QR codes and polymorphic attacks, were seen in 18 to 20 per cent of attacks.
“Phishing kits shifted up another level in 2025 as they increased in number and sophistication, bringing advanced, full-service attack platforms to even less-skilled cyber criminals and enabling them to launch powerful attacks at scale,” said Ashok Sakthivel, software engineering director at Barracuda.
“The kits feature techniques designed to make it harder for users and security teams to detect and prevent fraud.”
The themes used are relatively the same as previous years, with financial scams making up the highest proportion, one in five, followed by digital signatures, legal, and HR related messages.
The investigation also revealed concerning trends regarding the increased use of generative AI in phishing emails, voicemails, messages, and other communications.
Barracuda’s research shows that generative AI use is common in payment-based phishing scams, with convincing language, tone, and style of messaging all generated with the perception of legitimacy.
Generative AI use in rising “vishing” voicemail scams makes the prospect of authenticity seem much more believable, with highly personalised and adaptable voice-based phishing messages being a new element of scams that continues to evolve.
“To stay protected, organisations need to move past static defences and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and to ensure email security sits at the heart of an integrated, end-to-end security strategy,” said Sakthivel.