A record increase in automated cyberattacks has cemented phishing and outdated software as the main security risks for 2025, reports the FortiGuard Labs Threat Landscape Report from Fortinet. Although the tools used by cyberattackers have evolved, the fundamental targets have not changed. Organizations must prioritize these two fronts to build a resilient defense.
The report highlights the dangerous synergy between these two vulnerabilities. “Social engineering opens the door and outdated software ensures that attackers stay inside,” says Derek Manky, Chief Cybersecurity Strategist and Vice President Global Threat Intelligence, FortiGuard Labs. This combination allows an initial breach, often through a simple phishing email, to escalate quickly into a major security incident. The threat worsens when the compromised device is operating with unpatched software.
The threat landscape has evolved dramatically toward automation and scale. Adversaries now employ automated tools and bots to scan for known vulnerabilities in systems and to launch massive phishing campaigns. This means any unpatched system can be rapidly discovered and exploited.
Phishing remains the preferred attack vector because it exploits human trust, a consistently weak link in the security chain. In the last year, these campaigns have become more sophisticated and convincing. As FortiGuard Labs report noted, attackers now use Generative AI to create emails without grammatical errors that previously revealed fraud. This is often combined with brand theft, which involves imitating and impersonating trusted institutions to increase the deception’s plausibility. Furthermore, adversaries employ multichannel attacks, combining email with fraudulent SMS (smishing) and voice calls faked with deepfake technology (vishing) to increase success rates.
The effectiveness of modern phishing lies in its scale. New automation techniques allow attackers to send millions of attempts simultaneously. Even if only a small fraction is successful, the potential damage is extensive.
The interdependence of phishing and obsolete software represents a critical threat. A single click on a malicious link can introduce malware. However, it is the unpatched software that allows attackers to escalate privileges, move laterally through the network and disable existing defenses. For this reason, the constant application of updates and patches is one of the simplest and most effective defense strategies. Security patches close known security gaps, denying attackers the foothold they need to establish themselves in a system.
Despite its importance, many organizations continue to postpone updates due to operational concerns such as downtime, system compatibility, or associated costs. However, every day a patch is delayed is a window of opportunity for attackers.
To mitigate these persistent risks, Manky recommends implementing two concrete actions. The first is to reinforce phishing awareness by training employees to identify and report suspicious messages, verify sender details, and pause before clicking links or downloading files. Implementing multi-factor authentication (MFA) is also crucial, as it adds a layer of security that protects accounts even if credentials are compromised.
The second action is to automate software updates. Organizations should adopt centralized patch management systems to ensure the timely application of updates, while individuals should enable automatic updates on all personal and corporate devices to eliminate the delay between a patch’s release and its installation.
Fortinet also urges business leaders to communicate that cybersecurity is a shared responsibility that extends beyond the information technology department. In an environment where threats are increasingly automated and persistent, mastering cybersecurity fundamentals remains the strongest and most resilient defense.
