URL-based and QR code phishing increasing

Cybercriminals are increasingly employing advanced social engineering techniques and AI-generated content to create malicious URLs that are difficult for users to identify, according to Proofpoint. URL-based threats have become the dominant form of cyber threats, manifesting through emails, text messages, and collaboration apps. Attackers are not only impersonating trusted brands but are also abusing legitimate services, tricking users with fake error prompts, and embedding threats in QR codes and SMS messages to bypass traditional security measures.

The preference for URLs over attachments has grown significantly in recent years. Researchers observed that, during a six-month period in 2024–2025, URL threats were detected four times more frequently than attachments. Cybercriminals favour malicious URLs because they are easier to disguise and more likely to evade detection. These links are often embedded in messages, buttons, and even within attachments like PDFs or Word documents, enticing users to click and initiate credential phishing or malware downloads.

Credential phishing has emerged as the primary focus for attackers. The volume of ClickFix campaigns has surged by nearly 400% year over year, making it one of the most prevalent URL-based techniques used by malware threat actors. ClickFix lures users into executing malicious code by displaying fake error messages or CAPTCHA screens. This method exploits users’ desire to resolve perceived technical issues, facilitating the spread of Remote Access Trojans (RATs), infostealers, and loaders. Credential phishing remains the most common goal for attackers, with 3.7 billion URL-based attacks aimed at stealing login credentials.

Mobile threats are also on the rise, with Proofpoint identifying over 4.2 million QR code phishing threats in the first half of 2025 alone. QR code-based attacks circumvent enterprise protections by leveraging personal mobile devices. Once scanned, these codes redirect users to phishing sites designed to harvest sensitive information, such as credentials, credit card data, or personal identifiers, all while appearing legitimate. Smishing campaigns have increased by 2,534% as attackers shift their focus to mobile devices. At least 55% of suspected SMS-based phishing messages analysed contained malicious URLs, often mimicking government communications or delivery services. This trend reflects a shift towards mobile-first targeting by threat actors, capitalising on the immediacy and trust users place in mobile text messages.