Voice-based phishing tactics surged in 2025, becoming a significant entry point for cyberattacks, according to Mandiant’s annual M-Trends report. This method, where attackers impersonate trusted individuals to gain network access, accounted for 11% of all incidents investigated by Mandiant last year, indicating a concerning shift in threat actor strategies and a growing challenge for cybersecurity defenses.
While exploited vulnerabilities remained the primary avenue for breaches for the sixth consecutive year, representing 32% of incidents, the notable increase in voice phishing highlights a tactical evolution. This trend is particularly evident in large-scale attacks with widespread consequences, as confirmed by Mandiant’s findings and expert analysis.
The Rise of Voice-Based Phishing
Voice-based phishing, often referred to as vishing, involves attackers making direct calls to employees or IT help desks with deceptive claims aimed at obtaining credentials or access. These attacks are attributed to sophisticated cybercrime groups, including offshoots of The Com collective like Scattered Spider.
Mandiant’s report underscores the effectiveness of these social engineering tactics. The firm identified voice-based phishing as the root cause of several prominent attack campaigns in 2025, including those targeting Salesforce customers and attributed to threat groups tracked as UNC6040 and UNC6240.
“This type of social engineering attack is extremely powerful,” said Jurgen Kutscher, vice president at Mandiant, in a statement. “It is more time consuming, obviously it requires skills and impersonation skills that the threat actors need to have, especially when they contact their IT help desk. We’ve clearly seen several threat actors being very specialized and very successful with this type of attack.”
In contrast to the growing prevalence of vishing, traditional email-based phishing saw a significant decline. Previously a popular and low-barrier entry method, email phishing accounted for only 6% of observed intrusions in 2025, down from 14% in 2024 and 22% in 2022. The shift suggests attackers are investing more effort into higher-yield, more targeted attacks.
“The higher the investment, the higher the payout needs to be,” Kutscher explained. “Interactive phishing takes a significant amount of time and investment. So as an attacker, you’ve got to do that when you believe that there’s a significant return.”
These interactive attacks are particularly challenging to defend against as they leverage human psychology and can often bypass technical security measures. As Kutscher noted, “We’ve always said, unfortunately the human tends to be the weakest link.”
Other Persistent Threats and Targeted Industries
Beyond social engineering, exploited vulnerabilities continue to be a critical vector for cyber intrusions. Mandiant identified three key vulnerabilities exploited extensively in 2025, often as zero-days.
Top Exploited Vulnerabilities
- CVE-2025-31324 in SAP NetWeaver
- CVE-2025-61882 in Oracle E-Business Suite
- CVE-2025-53770 in Microsoft SharePoint
These vulnerabilities were exploited by a diverse range of threat actors, indicating their widespread impact and appeal to attackers with varying motives.
Globally, Mandiant responded to approximately 500,000 hours of incident investigations in 2025, an increase from the 450,000 hours recorded in 2024. Technology companies remained the most frequently targeted sector, accounting for 17% of all incidents.
Other highly targeted industries in 2025 included finance (14.6%), business and professional services (13.3%), and health care (11.9%). These sectors continue to be attractive to attackers due to the sensitive data they hold and the critical services they provide.
Looking ahead, organizations are expected to continue refining their defenses against both sophisticated social engineering attacks like voice-based phishing and the persistent threat of exploited software vulnerabilities. The increasing investment by adversaries in more complex intrusion methods suggests a continued need for advanced threat intelligence and robust security awareness training for employees.