Our Q1 2025 threat report phishing Europe analysis reveals a significant escalation in the sophistication and volume of phishing campaigns targeting European businesses between January and March 2025.
CT App Center’s threat intelligence engine processed over 2.4 million URL scans during Q1 2025, identifying 48,000+ malicious domains and 12,000+ active phishing campaigns. This report summarises the key findings, attack patterns and industries most affected.
Key Findings
The headline numbers from Q1 2025 paint a concerning picture for European business security:
| Metric | Q1 2025 | vs Q4 2024 |
|---|---|---|
| Phishing domains detected | 48,247 | +34% |
| Active campaigns | 12,891 | +28% |
| Average campaign duration | 4.2 days | -18% |
| Industries targeted | 23 | +5 |
| Countries affected | 31 | +3 |
The decrease in average campaign duration is particularly significant. Attackers are launching shorter, more intense campaigns specifically designed to evade detection systems that rely on historical reputation data.
Most Targeted Industries
Q1 2025 Threat Report: Phishing Europe Overview
Financial Services
Financial services remained the most targeted sector in Q1 2025, accounting for 31% of all phishing campaigns detected. Attackers primarily targeted online banking customers and payment processors, using fake login pages that closely replicate legitimate banking interfaces.
Portuguese and Spanish financial institutions saw a 42% increase in phishing attempts compared to Q4 2024, with attackers specifically exploiting the growing adoption of digital banking services in Southern Europe.
E-commerce and Retail
E-commerce platforms accounted for 22% of campaigns, with a notable spike during January driven by post-holiday return and refund scams. Attackers sent convincing emails impersonating major European retailers, directing victims to fake refund portals designed to harvest payment card data.
Professional Services
Law firms, accounting practices and consultancies saw a 67% increase in targeted attacks — the largest year-on-year increase of any sector. These businesses hold sensitive client data and often have privileged access to client financial systems, making them extremely valuable targets.
Healthcare
Healthcare organisations accounted for 18% of campaigns. Attackers frequently exploited COVID-related communications and health insurance notifications as phishing lures, targeting both patients and healthcare workers.
Most Common Attack Techniques
Q1 2025 Threat Report: Phishing Europe Overview
Adversary-in-the-Middle (AiTM) Phishing
AiTM attacks represented the most significant technical evolution in Q1 2025. Unlike traditional phishing that simply harvests credentials, AiTM attacks intercept the authentication session in real time — bypassing multi-factor authentication entirely.
These attacks use reverse proxy frameworks that sit between the victim and the legitimate website, capturing both credentials and session cookies simultaneously. Organisations that considered MFA a complete defence against phishing must now re-evaluate their security posture.
QR Code Phishing (Quishing)
QR code phishing increased by 156% in Q1 2025. Attackers embed malicious URLs in QR codes distributed via email, printed materials or messaging apps. Because QR codes cannot be easily previewed before scanning, they bypass many traditional URL-based security filters.
AI-Generated Phishing Content
The quality of phishing email content improved dramatically in Q1 2025, driven by the widespread availability of large language models. Grammatical errors and awkward phrasing — previously reliable indicators of phishing — are now absent from the majority of campaigns we analysed.
AI-generated phishing emails are increasingly personalised, referencing real company information, employee names and recent business events scraped from public sources including LinkedIn and company websites.
Geographic Distribution
The United Kingdom remained the most targeted country in Europe, followed by Germany, France and the Netherlands. Portugal saw a 38% increase in phishing campaigns — above the European average of 28% — driven primarily by attacks on financial services and e-commerce.
The majority of phishing infrastructure continues to be hosted in the United States, with a growing proportion hosted in bulletproof hosting providers in Eastern Europe and Southeast Asia.
Indicators of Compromise
During Q1 2025, CT App Center’s threat intelligence engine identified the following common indicators across active phishing campaigns:
Domain patterns:
- Newly registered domains (less than 30 days old) used in 78% of campaigns
- Typosquatting of major brand domains with character substitution
- Use of legitimate cloud infrastructure (Azure, AWS, Cloudflare Pages) to host phishing pages
Email patterns:
- Display name spoofing without domain spoofing
- Urgency-based subject lines referencing account security or pending actions
- HTML email bodies with minimal text to evade content filters
Recommendations for European Businesses
Q1 2025 Threat Report: Phishing Europe Overview
Based on our Q1 2025 analysis, we recommend the following immediate actions:
Implement real-time URL scanning. Scan every link before it reaches your employees. CT Scan cross-references 40+ threat databases and detects newly registered phishing domains within minutes of registration.
Monitor for brand impersonation. Set up alerts for domain registrations that resemble your company domain. CT Alert monitors the global domain registration feed in real time and notifies you immediately when a suspicious domain is registered.
Review your MFA strategy. Standard TOTP-based MFA is no longer sufficient against AiTM attacks. Consider phishing-resistant MFA methods such as hardware security keys or passkeys.
Train employees to recognise QR code phishing. Update your security awareness training to include quishing scenarios. Employees should verify QR code destinations before scanning using a URL reputation tool.
Establish a threat intelligence feed. Subscribe to regular threat intelligence reports to stay ahead of emerging attack patterns. The threat landscape is evolving faster than ever — organisations that rely on reactive security will always be one step behind.
According to the European Union Agency for Cybersecurity (ENISA), phishing remains the most prevalent initial access technique across all sectors in Europe.
Methodology
This report is based on analysis of 2.4 million URL scans processed by CT App Center’s threat intelligence engine between 1 January and 31 March 2025. Phishing domains were identified through a combination of machine learning classification, blacklist cross-referencing and community reports submitted via CheckTrusted.com.
Download the Full Report
The complete Q1 2025 Threat Report including full campaign data, IOC lists and sector-specific recommendations is available to CT App Center Pro and Business subscribers.
Access the full report — Pro and Business accounts only.
Not yet a subscriber? Start your free trial today.