AUSTIN, Texas, June 17, 2026 (GLOBE NEWSWIRE) — SpyCloud, the leader in identity threat protection, today released its 2026 Phishing Pulse Report, revealing that phishing attacks continue to increase in both volume and sophistication for enterprise organisations as artificial intelligence and phishing-as-a-service (PhaaS) platforms enable threat actors to launch highly effective campaigns at scale.
Based on a survey of enterprise security professionals at organisations with more than 1,000 employees, SpyCloud found that 78% of organisations experienced an increase in phishing volume over the past 12 months, while 84% say AI-generated phishing attacks are becoming more prevalent or harder to defend against.
Additional SpyCloud analysis found:
- Phishing attacks exposed employee data at nearly half (47%) of FTSE 100 companies over the last 12 months.
- Energy companies experienced the highest level of phishing exposure, followed by the telecommunications and financial services industries.
The findings suggest that while organisations recognise the growing threat posed by phishing, many remain unprepared to respond once an attack succeeds.
- Only 38% of organisations are very confident they can detect and respond to credential theft within 24 hours.
- 58% struggle to identify which credentials or session tokens were exposed following a phishing incident.
- 42% struggle to remediate exposed users at scale.
- 68% require 4 hours or longer to identify and remediate confirmed phishing-related exposures.
- Only 30% have fully integrated phishing detection with identity response workflows.
“Phishing is no longer just a password-stealing exercise,” said Trevor Hilligoss, Chief Intelligence Officer at SpyCloud. “With AI-written lures, PhaaS kits, and adversary-in-the-middle (AiTM) tradecraft, attackers are increasingly walking away with authenticated access like session cookies and refresh tokens. The challenge after a successful phish is figuring out what was actually exposed fast enough to matter. Too often, organisations stop at a password reset and miss the fact that the attacker may still have valid session access. Defenders need visibility into exposed credentials, cookies, and tokens, and the ability to remediate quickly before that access is used for follow-on attacks.”
Phishing’s Impact on Enterprises Continues to Grow
The report combines survey findings with SpyCloud’s analysis of active phishing campaigns and PhaaS infrastructure, revealing a clear and deliberate focus on enterprise targets.
SpyCloud researchers observed that approximately half of all PhaaS platform-sourced records are tied to enterprise identities, compared to just 11% of malware-sourced records. This indicates that phishing attacks are now approximately five times more likely to target enterprise users than malware infections – up from roughly three times more likely in late 2025. This trend is reinforced by SpyCloud’s analysis of kits such as Tycoon 2FA, where approximately 80% of captured credentials belonged to corporate email accounts.
AI, Session Hijacking, and Device Code Phishing Reshape the Threat Landscape
While AI-generated phishing emerged as the dominant concern among respondents, organisations are increasingly worried about a broader range of phishing-related threats. Business email compromise (BEC) was cited by 58% of respondents, vendor impersonation by 52%, collaboration platform phishing by 36%, and session hijacking by 20%.
The report also highlights growing concerns around AiTM phishing techniques, particularly device code phishing attacks that abuse legitimate OAuth authentication workflows to obtain authenticated access.
Hilligoss added, “Device code phishing is effective because it avoids a direct fight with MFA and instead uses legitimate authentication workflows to obtain trusted access. That gives attackers a lower-effort path to persistent access and paints a clear picture as to why defenders’ response has to go beyond password changes and include token and session revocation as a standard part of the post-phishing playbook.”
The Visibility Gap Creates Opportunity for Attackers
The report found that visibility remains the single greatest challenge organisations face after a successful phishing attack.
When security teams cannot determine which credentials, session tokens, or authentication artefacts were exposed, remediation becomes significantly more difficult and attackers gain valuable time to establish persistence, move laterally, escalate privileges, or launch follow-on attacks.
“At some point, a phishing attempt will get through,” said Hilligoss. “What separates a contained incident from a business problem is how quickly an organisation can identify the exposed credentials, cookies, or tokens and act on them at scale. The attackers are counting on the gap between compromise and remediation – and that is the window security teams need to close.”
Backed by the world’s largest repository of darknet data, SpyCloud recaptures phished credentials, session cookies, refresh tokens, and phishing targeting data directly from criminal infrastructure and active phishing campaigns, enabling organisations to identify compromised identities and automatically remediate exposures before they can be used for ransomware, account takeover, session hijacking, fraud, or other identity-based attacks.
To read the full 2026 Phishing Pulse Report, click here. If interested in a SpyCloud demo, click here.
About SpyCloud
SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions use advanced analytics and AI to accelerate investigations and protect workforce, consumer, and supplier identities from the threats that matter most: authentication bypass, session hijacking, malicious insiders, account takeover, ransomware, and fraud. Its data from malware-infected devices, successful phishes, combolists, and third-party breaches also powers many popular dark web monitoring and identity theft protection offerings. Customers include 7 of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 250 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.
To learn more and see insights on your company’s exposed data, visit spycloud.com.
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/36e6e20e-0262-4a11-9c5a-6669f78590d7
