SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

Austin, USA / Texas, May 7th, 2025, CyberNewsWire

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million phished data records recaptured from the criminal underground over the last six months. Phishing attacks have been growing in scale and sophistication, and SpyCloud’s research reveals that cybercriminals are increasingly targeting high-value identity data that can be used for follow-on attacks like ransomware, account takeover, and fraud.

While the data reflects only a snapshot of the phishing threat landscape, it provides valuable insights for organizations seeking to bolster defenses, enhance user training, and prevent identity-based attacks.

Key findings from SpyCloud’s analysis of phished data include:

94% of Fortune 50 companies have employee identity data exposed as a consequence of phishing attacks.
81% of these records contain email addresses, 42% include IP addresses, and 31% include user-agent information identifying device and browser details.
The top impersonated industries in phishing campaigns include: telecommunications, IT, and financial services.
Two thirds of the 5.5 million records contained credentials, financial information, or visitor metadata, while 37% came from email targeting lists (a collection of addresses selected for phishing attempts, not necessarily resulting in compromise).

“Phishing threats are not only growing – they’re evolving. In the last six months alone, we’ve seen a 17% increase in phishing emails. What’s especially concerning is that nearly 82% of victims had their email credentials compromised in prior data breaches, giving attackers a critical advantage,” said Brian Jack, chief information security officer at KnowBe4, a partner of SpyCloud. “This highlights the urgent need for ongoing security awareness training, but it’s only half the equation. Security teams must also have visibility into these specific exposures so they can take swift, targeted action to remediate. Combining human vigilance with actionable intelligence is the most effective way to stop phishing in its tracks – and prevent it from opening the door to broader cyberattacks.”

Phishing attacks are on the rise – not because organizations lack defenses, but because cybercriminals are modernizing their tactics, evolving phishing campaigns into industrial scale operations with phishing-as-a-service (PhaaS) platforms and AI. With the ability to automate the creation of sophisticated phishing kits, threat actors can more easily harvest credentials and 2FA codes, distribute phishing links via QR codes, and bypass CAPTCHAs to avoid detection.

“To combat the growing scale and sophistication of phishing attacks, security teams need access to real-time exposed identity data before it leads to broader compromise,” said Trevor Hilligoss, head of security research at SpyCloud. “One area we find organizations lacking insight is when it comes to phishing target lists, ripe with potential victims of phishing campaigns. Armed with this knowledge, organizations can proactively flag vulnerable accounts, alert these users, and stay even more vigilant to avoid falling prey. This action, further up the attack chain, takes a proactive approach to combating phishing threats before they happen.”

Hilligoss continues, “When organizations remediate phished credentials, terminate compromised web sessions, and act on other stolen identity artifacts, they reduce their risk substantially – and disrupt attackers’ ability to escalate privileges and launch ransomware.”

SpyCloud will dive deeper into these findings during its upcoming webinar on Thursday, May 15, Phish Happens: What Recaptured Data Reveals About the Industrialization of Phishing. Organizations interested in detecting and disrupting phishing-related identity exposures before they escalate are invited to register here.

About SpyCloud

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights on users’ companies’ exposed data, users can visit spycloud.com.