COMMENTARY: Fortune Global 500 companies expose significant amounts of personal information about their top executives online, making them easier targets for phishing attacks. A research team at Brightside AI analyzed board-member profiles in the telecommunications, transportation, and finance sectors, revealing just how much data is publicly accessible — and how this exposure directly increases the risk of costly security breaches.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts.Read more Perspectives here.]
AI threats come knocking on Fortune 500 companies
The OSINT arms race: Why personal data matters
Phishing attacks aren’t just spray‑and‑pray efforts anymore. Modern threat actors leverage open source intelligence (OSINT) to assemble dossiers: board membership details, educational background, professional milestones, social‑media activity — even hobbies and affiliations. Each snippet of info is another vector, another hook in that carefully crafted bait email. Our study (at Brightside AI) shows a direct correlation: the more data exposed, the richer the phishing playbook — and the greater the odds of a click.
Executive’s industry sector
Median Exposed Data Points (per CXO and Board Member)
Median Count of Attack Vectors
Median Phishing Probability (for CXO and Board Member)
Telecom
9
36
49.9%
Transportation
9
32
45.7%
Finance
8
28
41.6%
“A targeted phish with the right personal detail has exponentially higher success rates,” says one veteran red‑team operator. “You’re not guessing — you're personalizing.”
Why has phishing become such a common threat?
Phishing and social engineering are, of course, not new forms of cyberattacks, but both are growing as initial attack vectors. Research from Brightside AI partner Acronis found that social engineering and business email compromise (BEC) attacks rose from 20% to 25.6% of email attacks between January and May 2025 compared with the same period in 2024.The Acronis Threat Research Unit (TRU) Cyberthreats Report H1 2025 also revealed that while phishing was the initial vector for almost 70% of email attacks, malware was at the root of only 3.5%. Along those same lines, phishing attacks as initial strikes in collaboration applications rose from 9% to 30.5% from H1 2024 to H1 2025. Over that same time period, the percentage of collaboration app attacks in which malware was present decreased sharply from 82% to 45%.The continued rise of phishing as the primary and most effective attack vector is actually good news. It means antimalware measures are working. Companies are building security into applications at the beginning of the development process rather than at the end, and corporations have successfully taken steps to curb malware attacks. In recent years:
Enterprises have hardened their security perimeters.
More companies have implemented endpoint detection and response (EDR), stopping malware before it can enter a system.
Governments have become more aggressive in their enforcement actions, cracking down on malware games.
The bad news, however, is that AI has unleashed a torrent of phishing and social-engineering attacks. It’s easy now for almost anybody — regardless of experience or expertise — to create an effective phishing email. These days, cyberattackers don’t hack into corporations’ systems, they log in.
Sector breakdown: Which industries face the highest phishing risk?
Telecommunications has the highest level of executive data exposure, with a median of nine personal details per profile — leading to 36 possible phishing hooks (for each Executive and Board member). This level of exposure is linked to a 50% chance that one of tailored phishing emails will succeedIn transportation, the narrative is similar: 8.5 data points and 32 vectors per target. Logistics firms often tout their operational resilience, yet underestimate their leaders’ digital footprints. The consequence is a near‑46% breach probability.Finance, paradoxically, publishes less raw data (median eight points) and has 28 median possible vector attacks, among the reviewed Fortune 500 companies. But a single mis‐click here can unlock wire transfers, insider info or market-moving leaks. Despite the lowest breach probability (≈42%), the average loss when finance execs fall for a phish tops $6 million. Average Risk-weighted damage is $2.5 million.
The financial impact: What a single exposed detail can cost
Raw breach odds tell part of the story. We layered in average direct losses per incident — fraud payouts, remediation costs and legal fees — to compute a risk‑weighted expectation:
Telecom: $4.09 M average loss → $1.78 M risk‑weighted
Transportation: $4.43 M average loss → $1.84 M risk‑weighted
Finance: $6.08 M average loss → $2.53 M risk‑weighted
Every additional exposed data point spikes that dollar figure by hundreds of thousands. For a telecom board member, just one extra public detail can elevate risk‑weighted loss by nearly 15% (from $2M to $2.3M).And this is just one member and one breach. We observe that nearly all board members and senior executives have similarly high levels of personal data exposure. As a result, if hackers target a specific company, the likelihood of a successful breach via social engineering becomes almost certain.
Action plan?
Training that matches the threat
Data exposure is only half the battle. Overworked executives are prime clickbait — brandishing an email that references a well‑known alma mater or charity event makes it feel genuine. Generic corporate training won’t cut it.
Simulations by sector: Training cadences should mirror actual exposure stats — finance teams need rigorous, deep‑dive campaigns; telecom leaders need high‑frequency exercises.
Personalization practice: Teach execs to spot hyper‑relevant social context, not just bad grammar or odd URLs.
Reducing the surface: Reducing what attackers can use
Reducing public data limits the tools attackers can exploit. Security and governance teams should regularly audit executive exposure and take action to minimize it:
Social media cleanup: Limit visible personal and professional details on platforms like LinkedIn. Use different email, allies for different social media, especially for personal and professional social media. Remove and restrict information that isn’t essential for public view.
Regular privacy reviews: Conduct quarterly audits to identify and address new sources of OSINT exposure — such as membership rosters, inactive online accounts, or sensitive services registered under recognizable personal or corporate emails.
Email safeguards: Last line of defense
Even well-trained and cautious executives can slip — especially when attackers use convincing personal details. That’s why layered technical safeguards are essential to back up human judgment and reduce the risk of a successful phishing attempt.
Adaptive filtering: Advanced email filters should go beyond checking for known malicious links. They should flag emails containing personal references, such as executive alma maters or past job titles, when those details don’t match internal records. This helps catch phishing attempts that rely on OSINT-based social engineering. Filters can also prioritize warnings for emails that mimic common business requests, such as invoice approvals or document signatures.
External email tagging: Clearly mark emails that originate from outside the organization. Even if a message is well-crafted, this visual cue helps remind users to treat external messages with extra caution — especially when they contain requests involving sensitive actions.
Combined, these controls help create a digital safety net that reduces reliance on human detection alone. In high-risk environments, this extra layer of defense can mean the difference between a blocked phishing attempt and a multi-million-dollar breach.
Conclusion: Train like it’s real - because it is
Phishing remains one of the most effective attack methods targeting global enterprises — and the rise of AI has taken it to the next level. Generative AI tools have made it easier, faster, and cheaper for attackers to scale operations, craft convincing messages, and gather detailed intelligence on targets. You no longer need to be a private investigator to build a profile on an executive — just ask ChatGPT or use Perplexity, and a treasure trove of personal and professional information is at your fingertips.As the threat becomes more sophisticated and accessible, so too must our defenses. Companies must elevate awareness training and phishing simulations from a compliance task to a core cybersecurity function:
Run regular, high-fidelity phishing simulations that mirror the AI-enhanced tactics attackers now use.
Tailor training by role and industry, focusing on the unique risks and likely attack vectors.
Move beyond annual checkboxes — create a culture of continuous, realistic training that sharpens instincts over time.
Include executive teams — they are the most exposed, most targeted, and often the least trained.
Human resilience is the last line of defense — and it’s never been more essential. As AI changes the phishing game, smarter people are your best protection.
A survey of over 7,800 individuals across eight countries revealed that between 40% and 50% of respondents still rely on browser-based password storage for convenience.
Researchers from Flare analyzed 470 underground forum posts between January 2025 and June 2026, revealing a service layer that bridges infostealer infections and account takeover activities.
