
State of Phishing 2025: Why SVGs Spiked (and What Still Works)
From All Things Human Risk Management by Hoxhunt
October 30, 2025 · 46 min
About this episode
In this episode, Eliot Baker and Maxime Cartier discuss the surge in SVG phishing attacks and effective strategies for training and prevention.
Episode #8 Security leaders don’t need more headlines - they need inbox reality: what bypasses filters, what people click, and where to train next. In this episode, host Eliot Baker sits down with Maxime Cartier , Hoxhunt’s Head of Human Risk Management, , to unpack the State of Phishing 2025 : why SVG attachments spiked, what still works, how the Microsoft vs. Google stack changes the threat mix, and the training moves that actually change behavior. What you’ll learn in this episode: Why SVGs surged: “image-as-code,” how attackers weaponize it, and a typical kill chain. What still works: PDFs/HTML + DocuSign, HR, and fake voicemail lures. Inbox layer > filter layer: focus on what reaches people, not what got blocked. Microsoft 365 vs. Google Workspace: different lure patterns, different coaching. Metrics that matter: report rate and time-to-report vs. legacy completion stats. “Report > Don’t Click”: building a high-signal reporting culture without blame. Verification tactics: quick cross-channel checks that prevent costly clicks. Program design: simulate what’s bypassing now and coach with instant feedback. Timestamps: (00:38) The Cost and Prevalence of Phishing in the Age…
People in this episode
Host: Eliot Baker
Guest: Maxime Cartier
Topics covered
- phishing
- cybersecurity
- human risk management
- SVG attachments
- email security
Keywords
- Microsoft 365
- Google Workspace
- reporting culture
- verification tactics
- program design
Mentioned in this episode
Products: Workspace, Microsoft 365, Google Workspace, DocuSign
More episodes of All Things Human Risk Management
- Your Security Awareness Program Has Plateaued - What Happens Next? · March 12, 2026 · 1h 2m
- The Ethical Guide to Security Storytelling: Navigating Real Breaches with Care and Respect · February 2, 2026 · 34 min
- The Attacks Getting Through Your Filters (and How AI Is Scaling Social Engineering) · December 22, 2025 · 38 min
- Does Security Awareness Training Even Work? Fixing the Flaws Behind “Training Fails” Headlines · November 16, 2025 · 38 min
- A CISO’s Playbook for Security Comms (with Jeffrey Brown) · October 14, 2025 · 53 min
- Virtual Kidnaps, Fake CFOs: Social Engineering Defense in the Age of AI · September 18, 2025 · 38 min
Explore listener stats, chart rankings, contacts and more on the All Things Human Risk Management podcast page.