SpyCloud reports 400% increase in phished identities

SpyCloud released new data showing a 400% year-over-year increase in successfully phished identities, a finding the company said highlighted the need for real-time visibility into identity exposures.

The dataset covered more than 28 million recaptured phished records, nearly 40% of which contained a business email address, compared with 11.5% in recaptured malware data; SpyCloud said workforces were three times more likely to be targeted by phishing than by infostealer malware and that phishing accounted for 35% of ransomware infections in its 2025 report.

SpyCloud described threat actor methods including phishing-as-a-service kits that automated convincing lures and adversary-in-the-middle tactics that captured Multifactor Authentication (MFA) tokens and session cookies, and said its processes detected who had been targeted, what data had been exposed, and remediated credentials before they could be weaponized.

The company said it recaptured and automatically remediated successfully phished identity data and targeting lists at scale before follow-on attacks such as ransomware, fraud, and account takeover could occur; it cited a 2025 Nikkei breach where malware on a personal device led to corporate compromise and reported that nearly one in two corporate users had an infostealer malware infection in their digital history.

“Phishing is now one of the most scalable tools cybercriminals use to breach enterprise environments,” said Trevor Hilligoss. “Protecting the enterprise means looking beyond corporate accounts,” said Damon Fleury.

SpyCloud saw this trend continuing in 2026.