The cost of phishing attacks has risen fourfold over the past 6 according to the 2021 Cost of Phishing Report published by Proofpoint. Large companies in the United States are now losing an average of $14.8 million a year due to phishing. That equates to a cost of $1,500 per employee. In 2015, when the survey was first conducted, the average cost of phishing for large U.S. companies was $3.8 million.
Phishing emails are sent to businesses which contain links to websites where credentials are harvested. Some attacks involve sending emails with attachments containing macros or other scripts that download malware. Phishing is often the first stage in a more extensive cyberattack.
When credential theft is the goal, compromised email accounts are often used for business email compromise (BEC) scams. The cyber threat actor uses a corporate email account to send emails to employees in the accounts department to trick them into making fraudulent wire transfers.
Microsoft 365 credentials are compromised to gain a foothold in the network, and from there it is possible to conduct ransomware attacks. BEC and ransomware attacks are some of the costliest security breaches to mitigate, often costing millions of dollars. The 2021 Cost of a Data Breach study conducted by IBM Security and the Ponemon Institute showed ransomware attack costs have risen to an average of $4.62 million per incident.
The Cost of Phishing Report* breaks down the cost of phishing attacks. One of the costliest components is the hit on employee productivity. In the United States, every employee will waste around 7 hours a year as a result of phishing scams, which for an average U.S. corporation – employing 9,567 people – equates to 63,343 wasted hours every year. When the first report was published in 2015, employees were wasting around 4 hours a year as a result of phishing scams.
Phishing attacks have not just been increasing, they have been increasing at an alarming rate. The Anti-Phishing Working Group (APWG) estimates phishing attacks doubled in 2020 alone.
“Because threat actors now target employees instead of networks, credential compromise has exploded in recent years, leaving the door wide-open for much more devastating attacks like BEC and ransomware,” said Ryan Kalember, executive vice president of cybersecurity strategy, Proofpoint. “Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue.”
The cost of containing a phishing attack in which credentials are compromised has increased from $381,920 in 2015 to $692,531 in 2021. The number of instances of phishing-related credential compromises has also increased, with the average company having to mitigate 5.3 compromises a year.
Phishing attacks often lead to malware and ransomware infections and BEC attacks. The cost of mitigating a malware attack has more than doubled between 2015 and 2021, rising from $338,098 in 2015 to $807,506 in 2021. Ransomware attacks now cost large organizations $5.66 million annually, and BEC attacks cost large organizations an average of $6 million a year.
“Business leaders should pay attention to probable maximum loss scenarios,” suggests Proofpoint. “For instance, BEC attacks could incur losses from business disruptions of up to $157 million if organizations aren’t prepared. Malware resulting in data exfiltration could cost businesses up to $137 million.”
Business that fail to take sufficient action to prevent phishing attacks are likely to pay the price. That price will be far in excess of the cost of implementing anti-phishing defenses and an ongoing security awareness training program for employees.
*The report is based on a survey of 600 IT and IT security practitioners in the United States, conducted by the Ponemon Institute in 2021.