SpyCloud Report Finds Phishing Attacks Surge As Employee Data Is Exposed At 86% Of Fortune 100 Companies

-Content by CyberNewswire-

SpyCloud, the leader in identity threat protection, today released its 2026 Phishing Pulse Report, revealing that phishing attacks continue to increase in both volume and sophistication for enterprise organisations as artificial intelligence and phishing-as-a-service (PhaaS) platforms enable threat actors to launch highly effective campaigns at scale.

Based on a survey of security professionals at organisations with more than 1,000 employees, SpyCloud found that 78% of organisations experienced an increase in phishing volume over the past 12 months, while 84% say AI-generated phishing attacks are becoming more prevalent or harder to defend against. 

Additional SpyCloud analysis found:

• Phishing attacks exposed employee data at 86% of Fortune 100 companies over the last 12 months
• Technology companies experienced the highest level of phishing exposure, followed by the airline and automotive industries

The findings suggest that while organisations recognise the growing threat posed by phishing, many remain unprepared to respond once an attack succeeds.

• Only 38% of organisations are very confident they can detect and respond to credential theft within 24 hours
• 58% struggle to identify which credentials or session tokens were exposed following a phishing incident
• 42% struggle to remediate exposed users at scale
• 68% require 4 hours or longer to identify and remediate confirmed phishing-related exposures
• Only 30% have fully integrated phishing detection with identity response workflows

“Phishing has become both more sophisticated and more scalable,” said Trevor Hilligoss, Chief Intelligence Officer at SpyCloud. “AI-generated lures, PhaaS platforms, and adversary-in-the-middle (AiTM) techniques are helping attackers capture not only usernames and passwords, but session cookies, refresh tokens, granting them authenticated access that can persist long after a password reset. While prevention remains important, organisations also need visibility into exactly what was exposed and be able to remediate before attackers can turn those exposures into follow-on attacks like ransomware, account takeover, session hijacking, or fraud.”

Phishing’s Impact On Enterprises Continues To Grow

The report combines survey findings with SpyCloud’s analysis of active phishing campaigns and PhaaS infrastructure, revealing a clear and deliberate focus on enterprise targets.

SpyCloud researchers observed that approximately half of its recaptured PhaaS platform-sourced records are tied to enterprise identities, compared to just 11% of malware-sourced records.

This indicates that phishing attacks are now approximately five times more likely to target enterprise users than malware infections, up from roughly three times more likely in late 2025. This trend is reinforced by SpyCloud’s analysis of kits such as Tycoon 2FA, where approximately 80% of captured credentials belonged to corporate email accounts.

AI, Session Hijacking, and Device Code Phishing Reshape the Threat Landscape

While AI-generated phishing emerged as the dominant concern among respondents, organisations are increasingly worried about a broader range of phishing-related threats. Business email compromise (BEC) was cited by 58% of respondents, vendor impersonation by 52%, collaboration platform phishing by 36%, and session hijacking by 20%.

The report also highlights growing concerns around AiTM phishing techniques, particularly device code phishing attacks that abuse legitimate OAuth authentication workflows to obtain authenticated access.

Hilligoss added, “Attackers gravitate toward techniques that give them the most reliable access with the least amount of effort, and device code phishing checks both boxes. Rather than continuously fighting authentication controls, they can leverage legitimate workflows to obtain trusted access that often persists long after the initial compromise. This changes the response process significantly because security teams need to think beyond credential resets and focus on revoking the tokens and sessions, a process that hasn’t historically been a part of the post-phishing playbook.”

The Visibility Gap Creates Opportunity For Attackers

The report found that visibility remains the single greatest challenge organisations face after a successful phishing attack.

When security teams cannot determine which credentials, session tokens, or other authentication artifacts were exposed, remediation becomes significantly more difficult and attackers gain valuable time to establish persistence, move laterally, escalate privileges, or launch follow-on attacks.

“At some point, users are going to get phished,” said Hilligoss. “Organisations must move beyond phishing prevention-focused strategies and build response capabilities that provide continuous visibility into exposed credentials, cookies, session tokens, and other identity data. Security teams should prioritise automated remediation workflows capable of revoking compromised access at scale and reducing the window of opportunity available to attackers.”

Backed by the world’s largest repository of darknet data, SpyCloud recaptures phished credentials, session cookies, refresh tokens and phishing targeting data directly from criminal infrastructure and active phishing campaigns, enabling organisations to identify compromised identities and automatically remediate exposures before they can be used for ransomware, account takeover, session hijacking, fraud, or other identity-based attacks.

-This is a paid press release published via CyberNewswire-