Financial services, healthcare, and manufacturing continue to lead the way when it comes to business phishing risks. But today, we're also seeing a huge rise in attacks against professional services, specifically managed service providers (MSPs) and IT service providers. 

According to the Anti-Phishing Working Group, financial institutions saw phishing attacks peak at 24.9% of all attacks in Q3 2023 before declining as banks implemented stronger two-factor authentication. IBM's 2024 Cost of a Data Breach Report found that healthcare breaches averaged $9.77 million per incident (the costliest of any sector).

Cloud-based businesses are also seeing increased targeting. Around 80% of phishing campaigns now aim to steal credentials from cloud services like Microsoft 365 and Google Workspace. Email inboxes and identity platforms have become primary attack vectors for threat actors.

Notable attacks in recent years

While phishing remains the initial attack vector with an average cost of $4.88 million per incident in 2025, business email compromise (BEC) attacks caused $6.3 billion in losses, according to the 2025 Verizon DBIR. 

In April 2025, Marks & Spencer suffered one of the year's most significant breaches when attackers used social engineering to trick service desk personnel into resetting credentials. The ransomware attack crippled M&S's online ordering, click-and-collect services, and contactless payments for weeks, wiping over $400 million from the company's market value. 

Healthcare continues to bear the brunt of phishing-initiated attacks. In February 2024, Change Healthcare experienced a ransomware attack that started with compromised credentials on a portal lacking multi-factor authentication. The breach exposed 192.7 million patient records, the largest healthcare data breach in history, and cost parent company UnitedHealth Group over $872 million in recovery costs.

We've seen a major shift to credential theft via simulated login pages as they make up the majority of email phishing attacks. 

Session token harvesting and cookie stealing are on the rise as attackers want the tokens that verify you’re already authenticated. Once they obtain these tokens, they use them to access your accounts as if they were you. No second-factor required.

Emailed QR codes containing malicious links, commonly known as "quishing," have increased drastically over the past couple of years. Most email security scanners only scan text and URLs within an email. They rarely look at the actual images for malicious QR codes. A user will open an email with a malicious QR code, scan it with their phone (which usually has weaker security controls than a corporate laptop), and the QR code will redirect them to a credential-harvesting site. It's clever, easy to execute, and going under most cybersecurity professionals' radars.

Finance and HR employees tend to be the main targets for phishing because they commonly work with money andsensitive data. But IT admins and help desk employees are coming in hot on the list. 

Attackers frequently use these employees as a gateway into your network. Through an extremely well-crafted pretexting attack, an attacker can impersonate an employee who has been locked out of their account. They’ll contact your help desk and pressure them into bypassing security controls or resetting passwords. 

Understanding the full scope of phishing data breaches is critical for small to mid-size businesses (SMBs) that may not have the resources to recover from a major incident. For some SMBs, this could mean game over since a lot don't have the funds or cyber insurance to recover from a major cyberattack. And yes, cyber insurance can help cover direct costs, but what about productivity loss, loss of trust from customers, loss of competitive advantage when your business grinds to a halt?

Email filtering is only doing part of the job

Cybercriminals design attacks specifically to evade security controls. According to the 2025 Verizon DBIR, 60% of breaches involved the human element, with phishing accounting for 16% of initial breach vectors and stolen credentials used in 22% of attacks. 

Your security awareness training is important

We're not saying it isn't working, but what we are saying is that users need an easy way to report suspicious emails, and your Security Operations Center (SOC) needs to know about them. The longer your security team takes to investigate and respond to a reported email, the more likely it will be clicked, which is why rapid detection and response matter more than prevention alone.

MFA is great, but it is by no means a foolproof solution

With session token harvesting and cookie stealing on the rise, MFA won't help you if your users are logging in to services from their browsers. You need security that's looking for suspicious behavior after authentication.

Huntress Managed Identity Threat Detection and Response (ITDR) pairs with our Managed Security Awareness Training (SAT) program to give you visibility into the threats others are missing, as well as keep your employees informed on the latest phishing tactics. Get a demo and try Huntress free today.