The new Osterman report we commissioned put a clean number on something I've been arguing about for two years. The average cost to handle a single phishing email dropped 12% since 2022, from $31.32 to $27.51. My first instinct was to write that up as a win. AI-powered defenses are working, costs are down, take the victory lap.
Then I read how the average got there. It's a softer win than it looks, and if you hand that number to your CFO without the context behind it, you're setting up a bad conversation a few quarters from now.
In this post I'm going to pull apart that one number, because it behaves nothing like a CFO expects an average to behave. Scroll to the bottom if you just want the five key takeaways from the full report.
The report measures the full cost of a phishing email, the time from the moment someone spots a suspicious message to the moment it's completely removed from the environment. Average handling time dropped from 27.5 minutes in 2022 to 23.2 minutes in 2025, about 16% faster. Cost tracks time, so the average cost per email fell right alongside it.
That improvement is real, and AI-powered email defenses earned it. But the average didn't drop because any single response got cheaper. It dropped because more organizations moved into the faster time buckets. The mix shifted toward speed. That's a different claim than "phishing got cheaper to handle," and the difference is where the trouble starts.
On page 10, the report notes that while the overall average came down, the cost per phishing email rose since 2022 for every specific handling-time bucket. Salaries are why. The composite fully burdened cost of an IT or security professional climbed to $71.15 an hour from $68.26, roughly 4%. So a 30-minute response costs more today than the same 30-minute response did three years ago.
Read that against your own team. If your handling time held steady since 2022, and for plenty of teams it has, your cost per phish didn't fall 12%. It rose about 4%. The industry average improved around you while your actual bill moved the other way. The headline number quietly assumes you got faster. If you didn't, it's describing someone else's progress.
The $27.51 sits on top of a distribution that runs 30x wide. An organization that clears a reported phish in under five minutes spends $2.96 on it. An organization that takes more than an hour spends $88.93. Same email, same threat, a 30x difference in what it costs to resolve.
And most teams are not near the cheap end. Two thirds of organizations (67%) land in the 16-to-60-minute range. The average is a floor that a large share of orgs sit well above. It tells you what the market looks like in aggregate. It tells you nothing about where your team actually lands.
The report models the cost out by volume, and the spread gets loud fast. At 1,000 phishing emails a year, the under-five-minute organization spends about $3,000 in labor. The hour-plus organization spends about $89,000. Same volume, same year, an $86,000 gap that comes entirely from how long the playbook takes to run.
So ask the question that matters more than the headline. How many minutes does your team spend per reported phish, end to end, from the moment it hits the queue to the moment it's pulled from every inbox? Multiply that by your annual phishing volume. That product is your real bill, not $27.51.
If you land at 45 to 60 minutes, you're running at two to three times the published average. At enterprise volume that's a six-figure line item hiding inside "we've got it handled." It won't show up until someone asks why the security team's hours keep climbing while the per-incident dashboard looks great.
One more figure, because the per-email cost is only half the story. Even with faster handling, organizations now spend 36.5% of their security team's working hours on phishing, up from 33.5% in 2022. Per composite analyst, that works out to $51,948 a year, up 13.6%.
Put the two facts side by side. Cost per incident went down. Total spend on phishing went up. Both are true at the same time, because AI cut the minutes per email while AI-generated attacks multiplied the number of emails.
The efficiency gain was genuine. Volume swallowed it.
When someone waves the falling cost-per-phish number around as proof that AI solved the economics of phishing, that's the number lying to your CFO. The price of handling one email went down. The amount you spend handling phishing went up. The only way to know which side of that you're on is to stop benchmarking against the average and start tracking two things you control, your own per-incident handling time and your phishing volume trend. Watch both quarter over quarter.
The average is everyone else's story. Your bill is the one that lands on your budget.
The (Higher) Business Cost of Phishing, conducted by Osterman Research, surveyed 128 IT and security professionals at organizations with 1,000 to 5,000 employees. Its five conclusions:
You can read the full report here: The (Higher) Business Cost of Phishing.