An analysis based on nearly six million records retrieved from the criminal market reveals the growing sophistication and industrialization of phishing, with increasing risks of ransomware, fraud, and account takeover.
The cybersecurity company SpyCloud, specializing in identity threat protection, has published a report revealing that 94% of companies in the Fortune 50 have had employee identity data exposed due to phishing campaigns in the last six months.
The analysis, based on nearly six million records obtained through phishing methods and retrieved from the digital criminal environment (darknet), highlights an expanding threat that now far exceeds simple fraudulent emails: it includes automation through AI, commercialization as a service (PhaaS), and globally coordinated large-scale attacks.
Compromised Data and Most Affected Sectors
According to the report’s findings:
- 81% of exposed records include email addresses.
- 42% contain IP addresses, and 31% include user agent information, such as the browser or operating system.
- Among the most impersonated sectors in phishing campaigns are telecommunications, information technology, and financial services.
- Two-thirds of the records contained credentials, financial data, or browsing metadata.
- 37% came from target lists: databases with selected emails for attack, although not all may have been compromised.
Reused Credentials and Chain Attacks
According to Brian Jack, Chief Information Security Officer at KnowBe4, a partner of SpyCloud:
“In the last six months, we have seen a 17% increase in phishing emails. What’s alarming is that 82% of the victims already had their credentials compromised in previous breaches, giving attackers a critical advantage.”
Jack emphasizes that user awareness and training are vital but must be accompanied by actionable intelligence that enables security teams to quickly detect actual exposures and respond effectively.
Industrialized Phishing: A Modern Threat
What was once artisanal fraud has now evolved into an automated criminal industry. Platforms for phishing as a service (PhaaS) and the use of artificial intelligence allow attackers to:
- Create phishing kits customized at scale.
- Impersonate pages with high visual fidelity.
- Collect two-factor authentication (2FA) codes.
- Spread malicious links via QR codes.
- Avoid detection by bypassing CAPTCHA systems and anti-bot measures.
“Security teams need real-time access to exposed data before it leads to greater compromises,” stated Trevor Hilligoss, head of security research at SpyCloud. “Many are unaware of the existence of phishing target lists. If detected in time, they can alert vulnerable users and prevent attacks before they occur.”
Remediation and Early Action: Key to Mitigating Damage
Hilligoss highlighted the importance of revoking compromised credentials, closing suspicious active sessions, and acting on all stolen identity artifacts: “This drastically reduces the risk and hampers the ability of attackers to escalate privileges or launch ransomware.”
Virtual Event: “Phish Happens”
To delve deeper into the findings, SpyCloud will host a webinar titled “Phish Happens: What Recaptured Data Reveals About the Industrialization of Phishing” on Thursday, May 15.
Speakers will include:
- Damon Fleury, Product Director at SpyCloud.
- Joe Roosen, Director of Security Research.
The event will cover:
- How target lists become gateways for targeted attacks.
- What methods SpyCloud uses to capture and analyze data stolen through phishing.
- Strategies to automatically remediate exposed data before it is used by malicious actors.
About SpyCloud
SpyCloud transforms data recovered from the black market into intelligence to disrupt cybercrime. Its automated identity protection solutions prevent ransomware, account takeover, and targeted fraud. Among its clients are seven of the top ten Fortune 10 companies, as well as hundreds of governmental and private organizations worldwide.
source: spycloud