How much does phishing really cost the enterprise?

Dive Brief: 

• The financial impact of phishing attacks quadrupled over the past six years, with the average cost rising to $14.8 million per year for U.S. companies in 2021, compared with $3.8 million in 2015, according to a study from the Ponemon Institute on behalf of Proofpoint released Tuesday. Researchers surveyed 591 IT and IT security professionals.

• Companies spent almost $6 million per year on business email compromise (BEC) recovery, which includes about $1.17 million in illicit payments made to attackers annually. Ransomware costs large organizations about $5.66 million per year, including $790,000 in ransom payments. 

• The cost of protecting credentials from compromise has also risen sharply, from $381,920 in 2015 to $692,531 in 2021. Organizations are currently seeing about 5.3 credential compromises over a 12-month period, according to the research.

Dive Insight: 

The sheer volume of phishing attacks has risen dramatically, with the volume of phishing attacks doubling during 2020, according to the Anti-Phishing Working Group. 

“It’s reasonable to conclude from the report that with increased overall costs, both per incident costs and volume of attacks have increased, since the cost of phishing has quadrupled since 2015,” Ryan Kalember, EVP of cybersecurity strategy at Proofpoint, told Cybersecurity Dive via email. 

Ransomware and BEC were not specifically broken out in the 2015 research, however those two categories have driven nearly half of the increased overall costs from phishing attacks, according to Kalember.

One of the most important costs of phishing attacks is the loss of employee productivity, according to the report. The average company loses 65,343 hours per year due to phishing attacks, based on an average size of 9,567 employees. 

Implementing security awareness training can help reduce the cost of phishing attacks by more than 50%, according to the Ponemon Institute and Proofpoint report. A multi-layered approach is the best way to combat phishing attacks, with people being at the center of any strategy. 

“It’s critical to understand which users are the most targeted, and which of them are the likeliest to fall for the social engineering that phishing attacks rely on,” Kalember said. “Users are a critical line of defense against phishing and it’s important security awareness education provides a foundation to ensure everybody can identify a phishing email and easily report it.”

BEC rose 100% in 2019 and traditional email inspection techniques do not adequately screen for BEC phishing attacks, according to Gartner research. Gartner estimates BEC attacks will double each year, reaching an impact of $5 billion by 2023. 

Researchers warn the increased use of cloud-based services like Microsoft Office 365 will leave legitimate user credentials vulnerable to attack. 

“I think the continued move to cloud is certainly contributing to the increase in BEC, in particular account takeover [as] using compromised credentials makes it a lot harder to identify BEC type attacks,” Mark Harris, senior director analyst, security and risk at Gartner, said via email. 

No single technology can fix BEC issues, but advances are being made in natural language understanding to understand the “intent” of emails as well as the use of inline banners and other warnings, according to Harris. Strong financial controls and processes are equally important in combating BEC. 

Despite efforts to mitigate such attacks, the sheer volume of daily email in the enterprise means that threat actors will continue to target these vectors in the hope of compromising legitimate credentials, according to experts.

“Phishing and BEC attacks have continued to remain a top vector to compromise because it takes advantage of the most easily susceptible mechanism to reach end users — email communication,” Kevin O’Brien, co-founder and CEO at GreatHorn.