Phishing Costs Nearly Quadrupled Over The Past 6 Years

by | August 21, 2021 | Cybersecurity News

Phishing costs saw a jaw-dropping increase over the last 6 years, but payouts to miscreants aren’t the ones to eat up the most money. Instead, lost productivity, affected business relationships, compromised image, and overall mopping after phishing attacks are what makes phishing costs explode.

Phishing Costs On The Rise

Researchers found that the cost of phishing attacks has almost quadrupled since 2015. The average financial damage large US companies suffer due to phishing is $14.8 million per year or $1,500 per employee.

Six years ago, these scary figures were much lower, at $3.8 million.

Phishing Leads To The Costliest Cyberattacks

According to a new study from Proofpoint, released Tuesday, phishing leads to the most financially devastating cyberattacks.

One of the most expensive threat types is BEC – business email compromise. Its costs skyrocketed during 2020, with over $1.8 billion stolen from organizations. In addition, cybercriminals use increasingly sophisticated strategies, either pretending to be someone inside a company or impersonating a partner or a provider to launch successful attacks.

Another notably expensive type of attack is ransomware, with high ransom costs.

But extortion payments in ransomware attacks or illicit BEC wire transfers are just the tip of the iceberg, according to the same study.

“When people learn that an organization paid millions to resolve a ransomware issue, they assume that fixing it cost the company just the ransom. What we found is that ransoms alone account for less than 20 percent of the cost of a ransomware attack,” said Larry Ponemon, chairman and founder of Ponemon Institute, in a press release. “Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”

Lost Productivity Is The Biggest Of Phishing Costs

Lost productivity and recovering from a cyberattack eat up most phishing costs. Below is a table with the annual hours incurred for six tasks by the average-sized organization on an annual basis. According to it, the most time-consuming tasks to recover from phishing attacks are cleaning and fixing infected systems and conducting investigations.

Recovery accounts for the biggest phishing costs.
Phishing cost components. Source: Ponemon Institute
Phishing cost categories distribution. Source: Ponemon

According to the study, the average US organization of 9,567 employees that lost productivity equivalates to 63,343 wasted work hours every year. Each employee wastes approximately 7 hours per year due to phishing scams, 3 hours more than in 2015.

Estimated hours per employee each year spent dealing with phishing scams. Source: Ponemon Institute

Phishing Costs – Facts And Figures

  • BEC costs almost $6 million annually for a large company. Of that, payments made to attackers only make up for $1.17 million.
  • Large organizations suffer $5.66 million in damages every year due to ransomware. Of that, only $790,000 go to hackers for the actual ransoms.
  • Security awareness training significantly reduces (more than 50% on average) phishing costs.
  • Malware-related costs have more than doubled since 2015, with $807,506 in 2021.
  • The average cost to deal with phishing-based credential theft nearly doubled over the past six years, from $381,920 in 2015 to $692,531 in 2021. Organizations saw an average of 5.3 compromises over a 12-month period.
  • Business leaders should always consider the worst case scenario, with the probable maximum losses. For example, BEC scams can cause losses of up to $157 million if organizations aren’e well prepared. Malware attacks following data exfiltration can cost comapnies up to $137 million.

Executive vice president of cybersecurity strategy for Proofpoint, Ryan Kalember, said that the cost of credential compromise has “exploded” in the last years because attackers have switched their focus from networks to employees. This leaves the door “wide-open for much more devastating attacks like BEC and ransomware,” he said. “Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue.”

Phishing costs this high can mean the end for a small or medium-sized company. ATTACK Simulator‘s Security Awareness Training will teach your employees to spot and prevent cyberattacks with our realistic phishing simulations.

Get your quote here or use our Security Awareness Training Free Trial to rest assured that you’re in good hands.





Feature Image: Technology vector created by freepik –

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.