20 May 2025
According to SoSafe’s 2025 Cybercrime Trends Report, cybercriminals are increasingly exploiting vulnerabilities outside of traditional corporate networks, focusing on third-party vendors and employees’ personal devices to bypass organizational defenses.
The comprehensive survey of 500 security professionals across nine countries highlights a shift in attack strategies, with threats extending beyond direct corporate targets.
“Organizations can no longer rely solely on internal network security,” explains Andrew Rose, CSO at SoSafe. “Even with strong internal safeguards, risks posed by external partners remain significant if they do not maintain high security standards. Additionally, when employees act without security awareness outside the workplace, it creates vulnerabilities that can compromise the entire organization’s security posture.”
The report reveals that 93% of organizations depend on third-party service providers to deliver their core functions. Each additional partner introduces new dependencies, data exchanges, and potential entry points for cybercriminals.
“Attackers are increasingly targeting software and service supply chains to amplify their reach and impact,” notes Rose. “These supply chains often lack the same level of defense as larger organizations, making them attractive targets. This strategy creates more opportunities for breaches, disruptions, and customer service outages.”
The challenge is further complicated by fourth-party risks — the vendors of an organization’s vendors — forming an extended web of exposure that many security teams find difficult to monitor effectively.
The study also shows that cybercriminals are moving beyond the traditional corporate sphere. A striking 83% of organizations reported incidents where employees’ personal devices were exploited, leading to security issues for the organization.
“Cybercriminals are blurring the lines between personal and professional spaces,” says Niklas Hellemann, CEO of SoSafe. “While organizations may implement technical controls for corporate devices, personal devices and accounts are often left vulnerable. These devices have become prime targets for attackers seeking access to corporate information.”
The message is clear: if it’s connected, it’s a potential threat vector. Personal devices are now an integral part of the overall security landscape.
The report highlights that 95% of organizations have seen an increase in multi-channel attack tactics over the past year. These sophisticated methods leverage email, messaging apps, social media, and voice calls to craft more convincing and harder-to-detect attacks.
Using AI technologies, attackers have developed 3D phishing attacks that integrate multiple communication channels to manipulate trust and exploit every possible entry point.
A notable incident in 2024 involved the CEO of WWP, targeted in a highly advanced cyberattack. Hackers used AI-driven voice cloning to impersonate the executive and deceive employees into sharing sensitive information and transferring funds. The attack combined WhatsApp for establishing trust, Microsoft Teams for ongoing communication, and an AI-generated deepfake voice call to execute the final fraud stage.
“Multi-channel attacks are highly sophisticated tactics designed to trick users into unwittingly aiding cybercriminals,” Hellemann explains. “To defend against these threats, organizations must provide regular, scenario-based training to employees. Such training helps staff recognize potential threats, reinforces security best practices, and fosters a security-first culture — empowering employees to serve as the first line of defense.”
