Phishing (including malspam, vishing, and malvertising) was the dominant intrusion vector, accounting for approx. 60% of cases..

Vulnerability exploitation accounted for 21.3% of initial access vectors.

Insider threats accounted for 0.8% of initial access vectors.

Botnet accounted for 9.9% of initial access vectors.

Malicious applications accounted for 8% of initial access vectors.

69% of 2025's breach notices did not include an attack vector. This is an increase from 65% for the full year 2024.

Junior sales staff were among the most vulnerable roles, engaging with read VEC attacks at a rate of 86%.

Conversely, EMEA organisations show the highest reporting rate for BEC, at 4.22%

In EMEA, the VEC engagement rate exceeds Business Email Compromise (BEC) by 90%.

7% of VEC engagements came from employees who had engaged with a previous attack.

The overall reporting rate for advanced text-based email threats was just 1.46%.

Telecommunications saw the highest VEC engagement rate at 71.3%.

Employees in large enterprises engaged with malicious vendor messages 72% of the time after reading them, taking follow-up actions such as replying or forwarding.

Repeat engagement with VEC in EMEA is the highest of any region, over twice that of BEC.

The second-ranked industry for VEC engagement rate was the energy/utilities sector (56%).

EMEA organisations demonstrate the lowest reporting rate for VEC, at 0.27%.

In just 12 months, attackers attempted to steal more than $300 million via VEC.

Employees in large enterprises engaged with malicious vendor messages 72% of the time after reading them, taking follow-up actions such as replying or forwarding.

The overall reporting rate for advanced text-based email threats was just 1.46%.

Exploits continue to be the most common initial infection vector (33%).