Libraesva’s email security predictions for 2025
The evolving threat landscape continues to present significant challenges for email security. The trend lines aren’t likely to change much: attacks will continue to escalate and attackers will become increasingly sophisticated. However, there is still plenty of scope for organizations to do more to protect their systems, people and business relationships by putting effective email security measures in place.
We’ve identified four important trends that organizations need to be aware of, and take into consideration when reviewing their email security this year.
More companies will be targeted by VEC attacks
Every organization with a supply chain can be a target for a VEC (vendor email compromise) attack. Bad actors use an initial phishing email to download malware to your system, so they can then research your business and use what they learn to exploit your commercial relationships – for example, by sending your customers fake invoices that are timed to coincide with your billing cycle.
VEC attacks are unquestionably escalating, with various reports putting the current rate of increase at 50-66% year on year. Businesses of all types need to be aware of – and taking action against – this increasing risk.
More organizations will turn to AI-driven email security solutions
Our research last year showed that 71% of IT and security professionals lacked confidence that their current email security system could defend against AI attacks, especially when their teams are already overstretched. The answer to this is to fight fire with fire.
AI is becoming vital in closing the email security gap that is currently leaving companies dangerously exposed. Adopting smarter tools, such as an adaptive trust engine, increases the effectiveness and responsiveness of your email security, building greater employee and client trust and taking your business forward faster.
More businesses will see the value of adopting DMARC
BIMI (Brand Indicators for Message Identification) enables organizations to display a brand logo alongside the subject line of all the emails they send, but to use it, they need to have DMARC authentication (and SPF and DKIM policies) in place.
BIMI has been around for a while, and at first it was only for organizations with a trademarked logo. In September last year, a new authentication process means that now it’s accessible for any business.
While the motivation may be marketing, the outcome for BIMI adopters is improved email security. Using BIMI means adopting DMARC (domain-based message authentication, reporting, and conformance), a standard that not only authenticates genuine emails by their domain, but also increases an organization’s ability to monitor and protect email domains from misuse.
DMARC is already a requirement for sending bulk emails using Gmail and Yahoo – it’s likely we will soon see more providers following suit.
The need for compliance may – at last – bring email security into the boardroom
The advent of NIS2 in Europe last year is just the latest in a long line of regulatory measures that are adding to the burden and scope of enterprise information security. More are on their way this year (such as the UK’s Cyber Security and Resilience Bill), and existing government and industry requirements are continually being refined and updated.
NIS2 was particularly notable for including an organization’s supply chain – we’ll find out more about this when the list of ‘Essential and Important Entities’ is published by member states in April this year.
“A recent study commissioned by Libraesva highlights that companies are, in general, not prioritizing email security, despite 88% of the CISOs, security and IT professionals surveyed said that their organization has experienced a successful email security attack in the last quarter… The truth is that the levels of investment, innovation, and skills needed to repel these threats are not being committed.”
Rodolfo Saccani, CTO & R&D Manager, Libraesva
Last year, Libraesva reported that 55% of organizations were still not prioritizing email as a cyber security risk. So while the burden of compliance grows, we should also recognize that the need to meet regulatory requirements is a concrete business case for investment in improved email security solutions.
For the many organizations that have not yet responded appropriately to the potential risks to their business, 2025 perhaps could be the year in which legislation tips the balance, and email security finally gets its much-deserved place on the corporate agenda.
Interested in learning more?
Read the Expert Insights Q&A with Rodolfo Saccani for an expert take on today’s email security threat landscape, how AI is changing the nature of email threats and security, and what CISOs should be looking for when choosing an email security solution.
