Cybercriminals are increasingly targeting vulnerabilities outside traditional corporate networks, focusing on third-party vendors and employees' personal devices to bypass organisational defences, according to SoSafe's 2025 Cybercrime Trends Report.
The comprehensive survey of 500 security professionals across nine countries reveals trends in how attackers are expanding their focus beyond direct corporate targets.
Internal network security
"Organisations can no longer rely solely on internal network security," says Andrew Rose, CSO at SoSafe. "Even with robust measures in place, the risk from external partners remains significant if they don't uphold the same level of protection."
"The same applies to employees – when they act without security in mind outside the workplace, it creates vulnerabilities that can compromise the organisation's overall security posture."
Potentially vulnerable third parties
The report reveals that 93% of corps depend on third-party services to deliver their core value proposition
The report reveals that 93% of organisations now depend on third-party services to deliver their core value proposition. Each additional provider introduces new dependencies, data exchanges, and potential entry points for cybercriminals.
"Attackers are increasingly targeting software and service supply chains to amplify the scale and impact of their attacks – knowing these often lack the robust defences and resources of larger organisations," notes Rose. "This concentration strategy creates more opportunities for criminals, more leverage against victims, and more frequent breaches and service outages for customers."
The challenge is further compounded by fourth-party risks – the vendors of an organisation's vendors – creating an extended web of exposure that many security teams find difficult to monitor effectively.
Employees' personal devices
SoSafe’s study reveals that cybercriminals are moving outside the traditional corporate domain, with 83% of organisations reporting their employees have fallen victim to cyberattacks on personal devices that caused security issues for the organisation.
"Cybercriminals are blurring the lines between personal and professional spheres," says Niklas Hellemann, CEO of SoSafe. "While employees may be protected by their organisation's technical controls, their personal devices and accounts are often left vulnerable. They have become prime targets for attackers looking to gain access to corporate information." The message is clear: if it’s connected, it’s a threat vector. And personal is now professional.
Multi-channel attack strategies
Report highlights that 95% of organisations report an increase in multi-channel attacks over the past year
As a related trend, the report highlights that 95% of organisations report an increase in multi-channel attacks over the past year. These sophisticated approaches can combine email, messaging apps, social media, and voice calls to create more convincing and harder-to-detect attacks.
With the aid of AI technologies, these attacks have evolved into "3D phishing attacks" that seamlessly integrate multiple communication channels to manipulate trust and exploit every possible entry point.
Aid of AI technologies
A notable incident occurred in 2024 involving the CEO of WWP, who was targeted in a sophisticated cyberattack. Attackers used AI-driven voice cloning to impersonate the executive and deceive employees into disclosing sensitive information and transferring funds.
Attackers used AI-driven voice cloning to impersonate the executive and deceive employees
This case illustrates how cybercriminals are using multi-channel tactics: Leveraging WhatsApp to build trust, Microsoft Teams for ongoing interaction, and an AI-generated deepfake voice call to execute the final stage of the fraud.
With the aid of AI technologies, these attacks have evolved into "3D phishing attacks" that seamlessly integrate multiple communication channels to manipulate trust and exploit every possible entry point.
Identify potential threats
“Multi-channel attacks are sophisticated tactics to trick users into becoming unwitting accomplices to criminal activities. To protect against these threats, organisations must provide regular, scenario-based training to their staff."
"The training not only helps employees identify potential threats but also reinforces positive security behaviours, fostering a security-first culture and empowering them to service as the first line of defence for the business,” said Hellemann.
From facial recognition to LiDAR, explore the innovations redefining gaming surveillance
