As part of the international cyberfestival Positive Hack Days, a press conference was held on May 23. Experts from Positive Technologies and SDM-Bank took a deep dive into phishing, discussing the tools and themes used by attackers and the security measures implemented by cybersecurity teams. Positive Technologies also announced the development of its own secure email gateway (PT Email Gateway). This product will protect email from unwanted messages, including phishing. The first pilot projects are scheduled for late 2025.

According to a study¹ by Positive Technologies, the number of phishing attacks continues to grow: in 2024, incidents increased by 33% compared to 2023 and by 72% compared to 2022. All industries experience phishing attacks, but the most frequently targeted sectors in 2024 were government agencies (15%), manufacturing companies (10%), and IT firms (9%).

Phishing attacks on organizations can lead to various consequences: theft of confidential information (63%), operational disruptions (28%), damage to national interests (6%), and direct financial losses (5%). 

Phishing attacks can be categorized into two groups: targeted attacks and mass attacks. Targeted phishing attacks are aimed at specific entities. They are carefully crafted, which requires attackers to invest more time and resources. They are also more likely to succeed. Advanced Persistent Threat (APT) groups often employ this method. However, the majority of phishing attacks fall under the category of mass phishing. The attackers send phishing emails to a large number of recipients, hoping that at least a few will take the prompted action. In such attacks, cybercriminals often impersonate well-known brands, such as Microsoft, Apple, or Google. Experts predict that the line between mass and targeted phishing will increasingly blur. Phishing messages will grow in number, and their content will become more sophisticated and convincing.

Phishing attack trends

The participants of the press conference highlighted several trends observed in phishing attacks on Russian companies. 

Artificial intelligence (AI) will become increasingly integrated into the toolkits of malicious actors. Hackers already use AI to generate phishing content and personalize attacks. For example, phishing chatbots have become highly adaptable. They alter the language and tactics of their messages based on users' responses. Among other things, chatbots help fraudsters carry out popular fake boss attacks. According to Positive Technologies, phishing messages impersonating the recipient's employer accounted for 10% of all incidents in 2022–2023. The trend continued in 2024. 

There was a surge in the use of deepfake voice and video messages in 2024. According to KPMG, there was a 245% increase in the use of deepfakes in cyberincidents globally between Q1 2023 and Q1 2024. Irina Telekhina, Head of Cybersecurity Development and Maintenance at Positive Technologies, spoke about a phishing attack on Positive Technologies using deepfakes. In 2024, cybercriminals made a video call to a senior manager of the company, posing as the CEO. In just a few seconds, they collected enough personal data—such as facial expressions, hair color, and eye color—to create a deepfake. Subsequently, the deepfake was used in a phishing attack on Positive Technologies, but the existing cyberthreat prevention process and the efforts to raise employee awareness helped thwart the attack. 

"The analysis of the email traffic at Positive Technologies confirms that all cyberattack trends are consistent worldwide," said Irina Telekhina, Head of Cybersecurity Development and Maintenance at Positive Technologies. "Soon after we noticed that deepfake videos and voice messages along with MFA circumvention tools were gaining popularity, we detected these tools being used in phishing attacks against our company. However, it's fair to say that the number of phishing messages reaching our employees is minimal because PT Sandbox blocks most of them. Phishing attacks take many forms, all designed to exploit human vulnerabilities. No one is immune—not even IT specialists or cybersecurity experts—because, ultimately, we are all human. The human factor remains a critical weak point that cannot be overlooked."

Experts from Positive Technologies and SDM-Bank are actively enhancing the quality of basic email protection as a key technical measure, while also training employees to quickly recognize phishing attempts. According to a study by Hoxhunt, employee training improves the ability to recognize phishing attempts. After six months, 50% of trained employees could identify a real phishing attack, compared to only 13% of untrained employees.

Vladimir Solonin, CISO at SDM-Bank, said that the bank's training program has successfully reduced the number of employees falling for simulated phishing emails from dozens to just a few.

Vladimir Solonin also shared the approaches used by SDM-Bank to build a defense against phishing attacks and significantly improve the rate of intercepted phishing messages.

"Previously, we used a script to manually analyze potentially malicious messages. But with the increasing volume of such emails, automation became necessary," commented Vladimir Solonin, CISO at SDM-Bank. "Thus, we had to implement a sandbox to spot such cyberthreats. After foreign vendors left Russia, we conducted a comparative test of domestic solutions, and chose PT Sandbox developed by Positive Technologies. We continuously assess the effectiveness of our defenses, including those against email-related cyberthreats. In April 2025 alone, PT Sandbox intercepted 342 malicious emails, and only 0.36% of potentially malicious messages came through, bypassing traditional antivirus tools. The highest number of malicious emails was observed in June 2023. A total of 880 malicious emails were intercepted, with only 0.39% making it through. These numbers demonstrate how a high-quality cybersecurity product protects an organization from phishing. However, any defense must be layered and comprehensive. In addition to a sandbox, it is necessary to establish basic protection for the mail server using an email gateway with antivirus engines, protect end-user workstations, and keep improving employees' cybersecurity awareness."

To make their phishing attempts more effective, attackers are focusing on bypassing security mechanisms. In addition, scammers embed CAPTCHA tests to make it more difficult to automatically block their websites. This also creates an illusion of trust for victims, as legitimate websites often use CAPTCHA as well. Attackers use attachments, links, and sometimes QR codes to distribute malware and fake data entry forms. According to a study by Cisco Talos, just one out of every 500 emails contains QR codes, while 60% contain spam or malware. Advanced security tools are now learning to analyze malicious QR codes. For example, PT Sandbox can detect QR codes in images within the body or attachments of emails, extract the links they contain, and check them for malicious content.

The evolution of the dark web has facilitated phishing by making cybercrime more accessible and allowing even low-skilled attackers to easily access corporate infrastructures. Previously, phishing attacks required attackers to spend time and effort, but now this problem has been solved by PhaaS (Phishing-as-a-Service) platforms. PhaaS platforms offer ready-made phishing campaigns starting at just $10.

"Phishing-as-a-Service platforms have truly changed the game,» said Irina Zinovkina, Head of Cybersecurity Analytics at Positive Technologies. "They resemble marketplaces where cybercriminals can get all the tools they need, such as phishing templates, dashboards for measuring the effectiveness of campaigns, CAPTCHA capabilities, and tools for creating or cloning websites. Therefore, organizations must establish robust defenses against phishing to minimize the number of malicious emails that reach their employees."

Defenses against phishing attacks

According to Positive Technologies, 84% of all phishing attacks are carried out via email, far surpassing websites (23%), social media, and messaging apps (4%). The mail server can be reliably protected by using a combination of cybersecurity products: a secure email gateway and a sandbox. Positive Technologies estimates that the Russian market for email protection will be worth 6–7 billion rubles in 2025². There is a trend of steady annual growth. 

"Previously, we protected our customers' mail servers by integrating PT Sandbox with other email security tools. However, a survey³ revealed that most customers would prefer to use a single-vendor combination of a secure email gateway (SEG) and a sandbox in their infrastructure," commented Elena Polyakova, Product Marketing Manager at Positive Technologies. To address these customer needs, Positive Technologies has been developing its own SEG solution, PT Email Gateway, since late 2024. Together with PT Sandbox, it will form a comprehensive solution accessible from a single interface, covering all email-related attack vectors and providing layered protection against threats of varying complexity. The MVP and first pilot projects are scheduled for late 2025."

In conjunction with PT Sandbox, the development of a secure email gateway will enable Positive Technologies to offer comprehensive email protection to current and new enterprise customers. It will also allow the company to enter the medium-sized business segment, where companies require basic protection against widespread email threats.