Personalized phishing attacks are becoming more effective due to domain spoofing. Cybercriminals are increasingly successful in misleading employees by making phishing emails extremely personalized. A new quarterly report (Q4 2025) from security specialist KnowBe4 reveals that emails that use the company’s own name achieve the highest click-through rates. Moreover, nearly 90% of the most successful attacks use domain spoofing to appear legitimate.
The report shows that personalization significantly increases click rates, with the two most-clicked subject lines containing recipients’ company names. Internal topics dominated engagement, appearing in 100% of the top 10 most-clicked subject lines, while HR-related topics were referenced in 46%. Messages posing as IT notifications, training updates and routine HR communications consistently ranked among the most effective phishing lures. These findings reinforce insights from KnowBe4’s State of Human Risk Report 2025: The New Paradigm of Securing People in the AI Era, which underscores the critical need for comprehensive human risk management as cybercriminals leverage increasingly sophisticated phishing tactics.
Analysis of phishing delivery methods further reinforces these trends. Among the top 20 hyperlinks clicked, around 87% referenced internal topics, and 90% involved domain spoofing, highlighting how closely attackers imitate legitimate business infrastructure to establish trust and prompt quick action.
The report also analyzed real-world phishing threats reported using the KnowBe4 Phish Alert Button. The top 10 most-reported phishing attacks frequently impersonated trusted brands such as Microsoft, ShareFile, Google, Zoom, Adobe, Coinbase and DHL, as well as internal IT and HR departments. Overall, 62% of phishing landing pages users interacted with were branded, with Microsoft accounting for 22.9% of impersonated brands. Social media platforms collectively represented 14.5%.
“The fact that nearly 90% of top-clicked phishing attempts involved domain spoofing shows that attackers are successfully creating convincing illusions of legitimacy,” said Erich Kron, CISO advisor at KnowBe4. “When employees see their company name, their manager’s name, or familiar internal systems referenced in an email, their natural inclination is to trust and act quickly. Organizations must recognize that technology alone isn’t enough – building a security-conscious culture where employees feel empowered to pause and verify is our strongest defense against these increasingly deceptive attacks.”
