{"id":25269,"date":"2026-02-11T16:41:12","date_gmt":"2026-02-11T12:41:12","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=25269"},"modified":"2026-02-13T16:43:05","modified_gmt":"2026-02-13T12:43:05","slug":"spam-and-phishing-2025","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/spam-and-phishing-2025\/25269\/","title":{"rendered":"Phishing and spam: the wildest campaigns of 2025"},"content":{"rendered":"

Every year, scammers cook up new ways to trick people, and 2025 was no exception. Over the past year, our anti-phishing system thwarted more than 554 million attempts to follow phishing links, while our Mail Anti-Virus blocked nearly 145 million malicious attachments. To top it off, almost 45% of all emails worldwide turned out to be spam. Below, we break down the most impressive phishing and spam schemes from last year. For the deep dive, you can read the full Spam and Phishing in 2025<\/a> report on Securelist.<\/p>\n

Phishing for fun<\/h2>\n

Music lovers and cinephiles were prime targets for scammers in 2025. Bad actors went all out creating fake ticketing aggregators and spoofed versions of popular streaming services.<\/p>\n

On these fake aggregator sites, users were offered \u201cfree\u201d tickets to major concerts. The catch? You just had to pay a small \u201cprocessing fee\u201d or \u201cshipping cost\u201d. Naturally, the only thing being delivered was your hard-earned cash straight into a scammer\u2019s pocket.<\/p>\n

\"\"<\/a>

Free Lady Gaga tickets? Only in a mousetrap<\/p><\/div>\n

With streaming services, the hustle went like this: users received a tempting offer to, say, migrate their Spotify playlists to YouTube by entering their Spotify credentials. Alternatively, they were invited to vote for their favorite artist in a chart \u2014 an opportunity most fans find hard to pass up. To add a coat of legitimacy, scammers name-dropped heavy hitters like Google and Spotify. The phishing form targeted multiple platforms at once \u2014 Facebook, Instagram, or email \u2014 requiring users to enter their credentials to vote<\/span> hand over their accounts.<\/p>\n

\"A<\/a>

This phishing page mimicking a multi-login setup looks terrible \u2014 no self-respecting designer would cram that many clashing icons onto a single button<\/p><\/div>\n

In Brazil, scammers took it a step further: they offered users the chance to earn money just by listening to and rating songs on a supposed Spotify partner service. During registration, users had to provide their ID for Pix (the Brazilian instant payment system), and then make a one-time \u201cverification payment\u201d of 19.9 Brazilian reals (about $4) to \u201cconfirm their identity\u201d. This fee was, of course, a fraction of the promised \u201cpotential earnings\u201d. The payment form looked incredibly authentic and requested additional personal data \u2014 likely to be harvested for future attacks.<\/p>\n

\"An<\/a>

This scam posed as a service for boosting Spotify ratings and plays, but to start \u201cearning\u201d, you first had to pay up<\/p><\/div>\n

The \u201ccultural date\u201d scheme turned out to be particularly inventive. After matching and some brief chatting on dating apps, a new \u201clove interest\u201d would invite the victim to a play or a movie and send a link to buy tickets. Once the \u201cpayment\u201d went through, both the date and the ticketing site would vanish into thin air. A similar tactic was used to sell tickets for immersive escape rooms, which have surged in popularity lately; the page designs mirrored real sites to lower the user\u2019s guard.<\/p>\n

\"A<\/a>

Scammers cloned the website of a well-known Russian ticketing service<\/p><\/div>\n

Phishing via messaging apps<\/h2>\n

The theft of Telegram<\/a> and WhatsApp<\/a> accounts became one of the year\u2019s most widespread threats. Scammers have mastered the art of masking phishing as standard chat app activities, and have significantly expanded their geographical reach.<\/p>\n

On Telegram, free Premium subscriptions<\/a> remained the ultimate bait. While these phishing pages were previously only seen in Russian and English, 2025 saw a massive expansion into other languages. Victims would receive a message \u2014 often from a friend\u2019s hijacked account \u2014 offering a \u201cgift\u201d. To activate it, the user had to log in to their Telegram account on the attacker\u2019s site, which immediately led to another hijacked account.<\/p>\n

Another common scheme involved celebrity giveaways. One specific attack, disguised as an NFT giveaway, stood out because it operated through a Telegram Mini App<\/a>. For the average user, spotting a malicious Mini App is much harder than identifying a sketchy external URL.<\/p>\n

\"Phishing<\/a>

Scammers blasted out phishing bait for a fake Khabib Nurmagomedov NFT giveaway in both Russian and English simultaneously. However, in the Russian text, they forgot to remove a question from the AI that generated the text, \u201cDo you need bolder, formal, or humorous options?\u201d \u2014 which points to a rushed job and a total lack of editing<\/p><\/div>\n

Finally, the classic vote for my friend<\/a> messenger scam evolved in 2025 to include prompts to vote for the \u201ccity\u2019s best dentist\u201d or \u201ctop operational leader\u201d \u2014 unfortunately, just bait for account takeovers.<\/p>\n

Another clever method for hijacking WhatsApp accounts was spotted in China, where phishing pages perfectly mimicked the actual WhatsApp interface. Victims were told that due to some alleged \u201cillegal activity\u201d, they needed to undergo \u201cadditional verification\u201d, which \u2014 you guessed it \u2014 ended up with a stolen account.<\/p>\n

\"A<\/a>

Victims were redirected to a phone number entry form, followed by a request for their authorization code<\/p><\/div>\n

Impersonating Government Services<\/h2>\n

Phishing that mimics government messages and portals is a \u201cclassic of the genre\u201d, but in 2025, scammers added some new scripts to the playbook.<\/p>\n

In Russia, vishing<\/a> attacks targeting government service users picked up steam. Victims received emails claiming an unauthorized login to their account, and were urged to call a specific number to undergo a \u201csecurity check\u201d. To make it look legit, the emails were packed with fake technical details: IP addresses, device models, and timestamps of the alleged login. Scammers also sent out phony loan approval notifications: if the recipient hadn\u2019t applied for a loan (which they hadn\u2019t), they were prompted to call a fake support team. Once the panicked victim reached an \u201coperator\u201d, social engineering took center stage.<\/p>\n

In Brazil, attackers hunted for taxpayer numbers (CPF numbers<\/a>) by creating counterfeit government portals. Since this ID is the master key for accessing state services, national databases, and personal documents, a hijacked CPF is essentially a fast track to identity theft.<\/p>\n

\"A<\/a>

This fraudulent Brazilian government portal of surprisingly high quality<\/p><\/div>\n

In Norway, scammers targeted people looking to renew their driver\u2019s licenses. A site mimicking the Norwegian Public Roads Administration collected a mountain of personal data: everything from license plate numbers, full names, addresses, and phone numbers to the unique personal identification numbers assigned to every resident. For the cherry on top, drivers were asked to pay a \u201clicense replacement fee\u201d of 1200 NOK (over US$125). The scammers walked away with personal data, credit card details, and cash. A literal triple-combo move!<\/p>\n

Generally speaking, motorists are an attractive target: they clearly have money and a car and a fear of losing it. UK-based scammers played on this by sending out demands to urgently<\/em> pay some overdue vehicle tax to avoid some unspecified \u201cenforcement action\u201d. This \u201cact now!\u201d urgency is a classic phishing trope designed to distract the victim from a sketchy URL or janky formatting.<\/p>\n

\"A<\/a>

Scammers pressured Brits to pay purportedly overdue vehicle taxes \u201cimmediately\u201d to keep something bad from happening<\/p><\/div>\n

Let us borrow your identity, please<\/h2>\n

In 2025, we saw a spike in phishing attacks revolving around Know Your Customer (KYC) checks. To boost security, many services now verify users via biometrics and government IDs. Scammers have learned to harvest this data by spoofing the pages of popular services that implement these checks.<\/p>\n

\"A<\/a>

On this fraudulent Vivid Money page, scammers systematically collected incredibly detailed information about the victim<\/p><\/div>\n

What sets these attacks apart is that, in addition to standard personal info, phishers demand photos of IDs or the victim\u2019s face \u2014 sometimes from multiple angles. This kind of full profile can later be sold on dark web marketplaces or used for identity theft. We took a deep dive into this process in our post, What happens to data stolen using phishing?<\/strong><\/a><\/p>\n

AI scammers<\/h2>\n

Naturally, scammers weren\u2019t about to sit out the artificial intelligence boom. ChatGPT became a major lure: fraudsters built fake ChatGPT Plus subscription checkout pages, and offered \u201cunique prompts\u201d guaranteed to make you go viral on social media.<\/p>\n

\"A<\/a>

This is a nearly pixel-perfect clone of the original OpenAI checkout page<\/p><\/div>\n

The \u201cearn money with AI\u201d scheme was particularly cynical. Scammers offered passive income from bets allegedly placed by ChatGPT: the bot does all the heavy lifting while the user just watches the cash roll in. Sounds like a dream, right? But to \u201ccatch\u201d this opportunity, you had to act fast. A special price on this easy way to lose your money was valid for only 15 minutes from the moment you hit the page, leaving victims with no time to think twice.<\/p>\n

\"A<\/a>

You\u2019ve exactly 15 minutes to lose \u20ac14.99! After that, you lose \u20ac39.99<\/p><\/div>\n

Across the board, scammers are aggressively adopting AI. They\u2019re leveraging deepfakes, automating high-quality website design, and generating polished copy for their email blasts. Even live calls with victims are becoming components of more complex schemes, which we detailed in our post, How phishers and scammers use AI<\/strong><\/a>.<\/p>\n

Booby-trapped job openings<\/h2>\n

Someone looking for work is a prime target for bad actors. By dangling high-paying remote roles at major brands, phishers harvested applicants\u2019 personal data \u2014 and sometimes even squeezed them for small \u201cdocument processing fees\u201d or \u201ccommissions\u201d.<\/p>\n

\"A<\/a>

\u201c$1000 on your first day\u201d for remote work at Amazon. Yeah, right<\/p><\/div>\n

In more sophisticated setups, \u201cemployment agency\u201d phishing sites would ask for the phone number linked to the user\u2019s Telegram account during registration. To finish \u201csigning up\u201d, the victim had to enter a \u201cconfirmation code\u201d, which was actually a Telegram authorization code. After entering it, the site kept pestering the applicant for more profile details \u2014 clearly a distraction to keep them from noticing the new login notification on their phone. To \u201cverify the user\u201d, the victim was told to wait 24 hours, giving the scammers, who already had a foot in the door, enough time to hijack the Telegram account permanently<\/a>.<\/p>\n

Hype is a lie (but a very convincing one)<\/h2>\n

As usual, scammers in 2025 were quick to jump on every trending headline, launching email campaigns at breakneck speed.<\/p>\n

For instance, following the launch of $TRUMP meme coins by the U.S. President, scam blasts appeared promising free NFTs from \u201cTrump Meme Coin\u201d and \u201cTrump Digital Trading Cards\u201d. We\u2019ve previously broken down exactly how meme coins work, and how to (not) lose your shirt on them<\/a>.<\/p>\n

The second the iPhone 17 Pro hit the market, it became the prize in countless fake surveys. After \u201cwinning\u201d, users just had to provide their contact info and pay for shipping. Once those bank details were entered, the \u201cwinner\u201d risked losing not just the shipping fee, but every cent in their account.<\/p>\n

Riding the Ozempic wave, scammers flooded inboxes with offers for counterfeit versions of the drug, or sketchy \u201calternatives\u201d that real pharmacists have never even heard of.<\/p>\n

And during the BLACKPINK world tour, spammers pivoted to advertising \u201cscooter suitcases just like the band uses\u201d.<\/p>\n

Even Jeff Bezos\u2019s wedding in the summer of 2025 became fodder for \u201cNigerian\u201d email scams<\/a>. Users received messages purportedly from Bezos himself or his ex-wife, MacKenzie Scott. The emails promised massive sums in the name of charity or as \u201ccompensation\u201d from Amazon.<\/p>\n

How to stay safe<\/h2>\n

As you can see, scammers know no bounds when it comes to inventing new ways to separate you from your money and personal data \u2014 or even stealing your entire identity. These are just a few of the wildest examples from 2025; you can dive into the full analysis of the phishing and spam threat landscape<\/a> over at Securelist. In the meantime, here are a few tips to keep you from becoming a victim. Be sure to share these with your friends and family \u2014 especially kids, teens, and older relatives. These groups are often the main targets in the scammers\u2019 crosshairs.<\/p>\n

    \n
  1. Check the URL<\/strong> before entering any data. Even if the page looks pixel-perfect, the address bar can give the game away.<\/li>\n
  2. Don\u2019t follow links<\/strong> in suspicious messages, even if they come from someone you know. Their account could easily have been hijacked.<\/li>\n
  3. Never share verification codes with anyone<\/strong>. These codes are the master keys to your digital life.<\/li>\n
  4. Enable two-factor authentication<\/strong> everywhere you can. It adds a crucial extra hurdle for hackers.<\/li>\n
  5. Be skeptical of \u201ctoo good to be true\u201d offers<\/strong>. Free iPhones, easy money, and gifts from strangers are almost always a trap. For a refresher, check out our post, Phishing 101: what to do if you get a phishing email<\/strong><\/a>.<\/li>\n
  6. Install robust protection<\/strong> on all your devices<\/strong>. Kaspersky Premium<\/a> automatically blocks phishing sites, malicious attachments, and spam blasts before you even have a chance to click. Plus, our Kaspersky for Android<\/a>\u00a0app features a three-tier anti-phishing system that can sniff out and neutralize malicious links in any message from any app. Read more about it in our post, A new layer of anti-phishing security in Kaspersky for Android<\/a>.<\/li>\n<\/ol>\n\n","protected":false},"excerpt":{"rendered":"

    We’re diving into the most intriguing and sophisticated phishing and spam schemes intercepted by our experts throughout 2025. <\/p>\n","protected":false},"author":2706,"featured_media":25286,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[312,19,2351,76,695,240,581,2465,520],"class_list":{"0":"post-25269","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-attack","9":"tag-email","10":"tag-messaging-apps","11":"tag-phishing","12":"tag-scam","13":"tag-spam","14":"tag-telegram","15":"tag-vishing","16":"tag-whatsapp"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/spam-and-phishing-2025\/25269\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/spam-and-phishing-2025\/30197\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/spam-and-phishing-2025\/30068\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/spam-and-phishing-2025\/28977\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/spam-and-phishing-2025\/31858\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/spam-and-phishing-2025\/30475\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/spam-and-phishing-2025\/41279\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/spam-and-phishing-2025\/14283\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/spam-and-phishing-2025\/55295\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/spam-and-phishing-2025\/23631\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/spam-and-phishing-2025\/24744\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/spam-and-phishing-2025\/35953\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/spam-and-phishing-2025\/35615\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/phishing\/","name":"phishing"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25269","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=25269"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25269\/revisions"}],"predecessor-version":[{"id":25289,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25269\/revisions\/25289"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/25286"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=25269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=25269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=25269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}