Cybercriminals Target Third Parties and Personal Devices, Says SoSafe Report

Cybercriminals are shifting their focus beyond traditional corporate networks, increasingly targeting third-party vendors and employees’ personal devices to circumvent organizational defenses. This trend is highlighted in SoSafe’s 2025 Cybercrime Trends Report.

The report, based on a survey of 500 security professionals across nine countries, reveals how attackers are broadening their strategies to exploit vulnerabilities outside direct corporate environments.

“Organisations can no longer rely solely on internal network security,” says Andrew Rose, CSO at SoSafe. “Even with robust measures in place, the risk from external partners remains significant if they don’t uphold the same level of protection. The same applies to employees – when they act without security in mind outside the workplace, it creates vulnerabilities that can compromise the organisation’s overall security posture.”

93% of Organisations Rely on Potentially Vulnerable Third Parties

The report reveals that 93% of organisations now depend on third-party services to deliver their core value proposition. Each additional provider introduces new dependencies, data exchanges, and potential entry points for cybercriminals.

“Attackers are increasingly targeting software and service supply chains to amplify the scale and impact of their attacks – knowing these often lack the robust defenses and resources of larger organisations.” notes Rose. “This concentration strategy creates more opportunities for criminals, more leverage against victims, and more frequent breaches and service outages for customers.”

The challenge is further compounded by fourth-party risks – the vendors of an organisation’s vendors – creating an extended web of exposure that many security teams find difficult to monitor effectively.

83% Report Security Breaches Through Employees’ Personal Devices

SoSafe’s study reveals that cybercriminals are moving outside the traditional corporate domain, with 83% of organisations reporting their employees have fallen victim to cyberattacks on personal devices that caused security issues for the organisation.

“Cybercriminals are blurring the lines between personal and professional spheres,” says Niklas Hellemann, CEO of SoSafe. “While employees may be protected by their organisation’s technical controls, their personal devices and accounts are often left vulnerable. They have become prime targets for attackers looking to gain access to corporate information.”

The message is clear: if it’s connected, it’s a threat vector. And personal is now professional.

95% Witness Rise in Multi-Channel Attack Strategies

As a related trend, the report highlights that 95% of organisations report an increase in multi-channel attacks over the past year. These sophisticated approaches can combine email, messaging apps, social media, and voice calls to create more convincing and harder-to-detect attacks. With the aid of AI technologies, these attacks have evolved into “3D phishing attacks” that seamlessly integrate multiple communication channels to manipulate trust and exploit every possible entry point.

 A notable incident occurred in 2024 involving the CEO of WWP, who was targeted in a sophisticated cyberattack. Attackers used AI-driven voice cloning to impersonate the executive and deceive employees into disclosing sensitive information and transferring funds. This case illustrates how cybercriminals are using multi-channel tactics: Leveraging WhatsApp to build trust, Microsoft Teams for ongoing interaction, and an AI-generated deepfake voice call to execute the final stage of the fraud.

With the aid of AI technologies, these attacks have evolved into “3D phishing attacks” that seamlessly integrate multiple communication channels to manipulate trust and exploit every possible entry point.

“Multi-channel attacks are sophisticated tactics to trick users into becoming unwitting accomplices to criminal activities. To protect against these threats, organisations must provide regular, scenario-based training to their staff. The training not only helps employees identify potential threats but also reinforces positive security behaviours, fostering a security-first culture and empowering them to service as the first line of defence for the business.” Said Hellemann.