Email remains the battleground of cybersecurity. Not out of nostalgia for the “spam” era, but because it continues to be the most profitable channel for scaling scams, stealing credentials, and distributing malware. Kaspersky’s latest annual report points in that direction with compelling figures: in 2025, 44.99% of global email traffic was spam, and users — both personal and corporate — encountered more than 144 million malicious or potentially unwanted attachments, a 15% increase compared to the previous year.
Beyond volume, what worries companies is the change in form. Email no longer arrives alone. Increasingly, campaigns start in the inbox but aim to end in other channels: a message pushing to WhatsApp or Telegram, a call from a fake technical support, a link opening a form that later triggers a conversation with a supposed “advisor.” Email has become the trigger for a multi-channel chain where social engineering adapts to the environment and the victim.
Europe under pressure; Spain in the spotlight
Regionally, Kaspersky places Asia-Pacific (APAC) as the area with the highest share of email antivirus detections, at 30%, followed by Europe (21%), Latin America (16%), Middle East (15%), Russia and the CIS (12%), and Africa (6%). Regarding countries, the report highlights China (14%) as most affected by malicious and potentially unwanted attachments, ahead of Russia (11%), Mexico (8%), Spain (8%), and Turkey (5%).
For the Spanish market, that 8% is not a statistical anecdote: it confirms that the country remains on the radar of large-scale campaigns and also of attacks exploiting local dynamics (language, brands, institutions, and administrative processes). Additionally, Kaspersky detects moderate activity spikes in June, July, and November, months that often coincide with periods of high operational turnover (campaigns, travel, closures, and internal processes), where attackers find more room to insert false urgencies.
Spam mutates: from “junk mail” to useful fraud
A key insight of the report is the operational definition of spam: it’s not limited to unsolicited messages but encompasses scams, phishing, and malware. This shifts the focus: it’s not just about cleaning the inbox but about preventing email from becoming an entry point for fraud.
And fraud has become better at disguising itself. Among the persistent tactics expected through 2026, several are already frequently seen:
- Shift to messaging and calls: emails that seem to present an investment opportunity or administrative notice, which upon clicking redirect to a chat or trigger a call. The goal is to remove the user from the corporate environment (where controls are stricter) and lead them to channels where deception is more personal and verification less strict.
- Evasion with QR codes and “link protection”: malicious actors camouflage URLs using link protection services or increasingly embed QR codes within the email content or in PDF attachments. The tactic is twofold: hiding the real destination and prompting the user to scan from a mobile device, where security is typically weaker than on a corporate PC.
- Exploitation of legitimate platforms: the report cites campaigns that exploit genuine features of well-known services — for example, invitations and team creation — to send spam from addresses that appear authentic, increasing click-through rates based purely on trust.
- More convincing BEC: in business email compromise scams, attackers refine their approach with emails that simulate “forwarded” or previous chain messages but lack technical headers to verify the conversation. This creates a fabricated context that pressures decisions (payments, bank account changes, urgent vendor issues) with fewer warning signs.
What accelerates it all: the industrialization of Artificial Intelligence
The other major insight from the report is cultural and technical: phishing has become professionalized, and according to Kaspersky, the “commoditization” of generative Artificial Intelligence is amplifying the problem. Roman Dedenok, the company’s anti-spam expert, warns that many business attacks start with phishing and that in 2025, sophistication has increased, with campaigns that meticulously plan “every detail”: from plausible sender addresses to messages tailored to real company events and processes. The key is scale: more credible, personalized messages produced with less effort.
Practically, this necessitates rethinking the defensive approach. If attackers can adapt language, tone, and context almost in real-time, traditional filters and user intuition become less effective. Defense must be a combination of technology, procedures, and ongoing training.
Expert recommendations to avoid falling into the trap
Kaspersky emphasizes a list of measures that, while not new, are becoming more urgent with these tactics:
- Be wary of unsolicited invitations, even if they come from known platforms.
- Check URLs before clicking, especially if redirects or URL shorteners are involved.
- Avoid calling phone numbers from suspicious emails; if support is needed, find the official number through verified channels.
- In organizations, strengthen email protection with multi-layered solutions and, most importantly, regular training focused on modern techniques (QR codes, redirections, BEC, fake threads).
- Don’t overlook the blind spot: mobile devices and smartphones should also be protected, since many campaigns encourage scanning or acting directly from phones.
The core conclusion is uncomfortable but clear: email has not lost its prominence; it has changed. It’s no longer just the mailbox where malware lands but the first step in operations that move to where the user is more persuadable. With Spain among the countries most targeted by malicious attachments, the conversation shifts from global to domestic.
Frequently Asked Questions
How to detect phishing with QR codes in emails and PDFs?
The main signal is the context: urgency, prizes, unexpected invoices, or “account verification.” If a QR appears to “proceed,” treat it like a link: verify the sender, confirm the request via an alternative channel, and avoid scanning from untrusted mobile devices.
Why is BEC fraud so dangerous for companies and finance departments?
Because it aims not to infect but to convince. Its usual target is a payment, a bank account change, or an urgent transfer. Effective defenses combine out-of-email verification (calling a known number, double approvals) and detection of domain or header anomalies.
What techniques do attackers use to hide malicious links in emails?
Besides URL shorteners and redirects, they use “link protection” services to mask destinations and embed QR codes within message bodies or inside PDF attachments to bypass filters and target mobile devices.
What measures will be most effective in 2026 to reduce email attacks in organizations?
Advanced email filtering, proper domain authentication (SPF, DKIM, DMARC well configured), recurrent training on current tactics (QR/BEC), verification controls for payments and vendor changes, and protection for corporate mobiles.
via: kaspersky