Researchers from the Godai Group set up what are called doppelganger domains — close imitations of legitimate domains — for all Fortune 500 companies, then sat back for six months to see what they would get.

In all, the researchers report, 151 of the companies were vulnerable to having e-mail misdirected. And in that six-month period, they collected 120,000 e-mails amounting to 20G of data, including trade secrets, business invoices, employees’ personal information, network diagrams, user names and passwords.