Five predictions for Identity-centric attacks in 2025

A new year is here, and with it come new resolutions, possibilities, and — regrettably — threats. 

No, threat actors won’t just change their ways with the flip of the calendar. Instead, they’ll double down on what’s been working and experiment with new ways of evading detection and exploiting vulnerabilities. 

While we can’t anticipate every malicious tactic, we can identify some of the troubling security trends most likely to continue and expand in 2025. Here are a few of our predictions and advice for how to prepare for them. 

Phishing kits will get trickier

Phishing continues to be an effective method for Identity-based attacks, and we don’t expect that to change just yet. In fact, we’re increasingly seeing scammers using advanced phishing kits — virtual toolboxes of resources designed to make attacks much easier to launch and repeat. 

In 2025, these kits will evolve to make phishing even harder to detect. For example, many kits can now bypass impossible travel flags, routing requests through residential proxies to make attacker activity appear closer to the targeted user.

To combat tactics like these, we strongly recommend that organizations adopt phishing-resistant authentication and block requests from anonymizing services. These solutions may not be a panacea, but they should cut down on malicious activity. 

Device-based attacks will make a comeback

Sometimes a prominent security incident or close call can cause a widespread shift in strategies. 

That happened in 2022, when a collective of hackers known as Scatter Swine conducted waves of social engineering and SMS-based credential phishing campaigns to attempt to bypass MFA and access information in dozens of large companies. We studied nearly three dozen of these targeted companies and found that nearly all of them adopted strong phishing-resistant authenticators in the wake of the attack. 

While embracing phishing resistance is critical, it isn’t sufficient. Because when persistent attackers can no longer rely on phishing as a tactic, they’ll pivot to something else. 

We’re already seeing a shift to device-based attacks, with hackers working to compromise users’ phones, laptops, and networks. They might trick a user into installing malware, for example, and then steal their login credentials so they can access sensitive systems and data within the user’s company. 

Fortunately, we’re far from helpless against device-based attacks. By establishing device trust, organizations can restrict access to specific resources to managed devices. And by integrating signals from endpoint detection and response (EDR) services into the authentication flow, organizations can prevent devices that are compromised with malware from establishing a session.

Business processes will become targets

Not all security threats to your business will involve vulnerabilities in your tech stack. Instead, some clever attackers will look to exploit weaknesses in your business processes. For example, they might call your IT help desk pretending to be a new employee so they can gather information about the software your workforce uses.

Over time, this approach can provide an attacker with a detailed profile of how your company works, so they’ll be even more convincing the next time they try to impersonate one of your employees. It also gives them a better chance of identifying weaknesses in your processes and broader supply chain.      

Educating your workforce to be vigilant for unusual or unauthorized activity can help prevent this type of attack. Organizations should also implement robust processes to verify their remote workforce, including using Identity verification vendors that can verify employees during critical moments of the user lifecycle, such as during onboarding or recovery flows.  

Downgrade attacks will continue surging

In 2024 we’ve seen an upswing in downgrade attacks, in which an initial tactic causes a targeted system to switch to a less-secure mode of operation, making it more vulnerable to a follow-on attack. 

Downgrade attacks can compel users to abandon phishing-resistant authentication methods for less secure ones. For example, an attack might come in the form of an SMS message asking a user to disconnect the Yubikey from their laptop. Or a call from someone pretending to be on the user’s IT team, asking them to remove a security factor from their account. 

Threat actors can also exploit misconfigurations in an organization’s authentication policies. To help mitigate this threat, we recommend configuring authentication policies that require phishing-resistant factors and ensuring that policies for sensitive applications do not allow a fallback to non-phishing-resistant factors. 

We expect downgrade attacks to continue posing a significant security threat in 2025. Again, while implementing secure processes and procedures is critical, employees also play an important role. Teach them to be wary of social engineering attacks, and to never provide passwords or codes over channels like SMS and instant messaging applications. 

GenAI will pose new challenges

Finally, no list of 2025 predictions would be complete without mention of the ubiquitous topic of AI.

Along with all of its promise and potential, Generative AI is already causing plenty of headaches for security teams. This year alone we’ve seen several stories of scammers using deepfake videos of C-suite leaders to trick employees into transferring money or sharing sensitive information. While it may take a little more time, given the staggering rate of innovation in this space, it would be wise to expect to see deepfakes go real time in 2025 and to start thinking about ways to mitigate that threat. Convincing voice and video generated on the fly to mimic real members of your workforce will open up new, creative opportunities for criminals. 

Business processes must evolve to mitigate the impact of threats like these. Companies should create a culture where the workforce feels empowered to push back when they feel like leaders are making unreasonable, potentially suspicious requests.

Our security commitment

The world of Identity-based attacks is a dynamic one, an ongoing struggle that’s spurring constant innovation and adaptation on both sides. For companies looking to protect their users and data, it’ll take an evolution in technologies, policies, and business processes to put up an effective defense.

At Okta, we’re committed to taking action. That’s why we recently announced the Okta Secure Identity Commitment (OSIC), our long-term initiative to lead the industry in fighting Identity attacks. With OSIC, we hope to help our peers and customers improve their security posture and defend against Identity-based threats — no matter what shape they may take — both now and in the years to come.

To learn more about the evolution of these attacks and how best to mitigate them, read our guide on the anatomy of Identity-based attacks.