Cybercriminals have relied on phishing emails as a gateway to gaining access to sensitive information since the beginning of email. And reports indicate that this isn’t slowing down. For threat actors, phishing is a lucrative business made profitable through various activities like a direct ransomware attack. The success and profitability of phishing have led threat actors to offer Phishing-as-a-Service offerings that bypass SEGs for $1,500.
Unfortunately, the increasing barrage of phishing attempts takes an expensive toll on organizations and their teams tasked with defending users against these attacks. This post highlights information gathered from the recent Osterman Research report, “The Business Cost of Phishing,” and looks at the financial burden phishing scams impose on organizations
Time is money. And time spent dealing with phishing emails is not only time-consuming, but it also could lead to burnout and distract team members from working on other parts of the business. It’s reported that IT and Security teams spend, on average, 27.5 minutes to handle a single phishing email. And 70% of organizations surveyed in the Osterman Research report revealed that they spend 16-60 minutes from discovery to removal of the threat.
According to Osterman Research, respondents report that one-third of their working hours each week are spent handling phishing-related activities. Unfortunately, 67% of those surveyed expect the time spent mitigating phishing risks each week to stay the same or increase—driving up the financial costs of handling these threats.
Because phishing is so profitable and successful, threat actors are willing to invest money into it to increase the volume of messages and the odds of a successful campaign. This means that dealing with phishing messages becomes financially expensive for organizations, with the cost of phishing attacks increasing each year.
Osterman notes that discovering and mitigating a single phishing email costs $31.32, which increases exponentially as the volume of phishing messages increases. IRONSCALES research from 2019 revealed that 42% of email phishing attacks are polymorphic, with 96 attacks undergoing 251-521 permutations. Since most threat actors leverage polymorphic phishing attacks to increase success rates, defending against phishing threats becomes extremely expensive.
Osterman reported that respondents spend nearly one-third of their time each week handling phishing threats; this equates to $45,726 in salary and benefits paid per IT and Security professional. So, if you have a team of 10 IT and Security professionals, you’re spending around $457,260 per year on labor to handle phishing threats.
Most organizations take some approach to email security. However, phishing protection offered by traditional SEGs are limited compared to modern phishing threats. Even AI-only phishing protection claims to capture 99% of the threats. However, the remaining threats that get through could be catastrophic for an enterprise.
According to IBM, the average cost of a data breach with phishing as the initial attack vector is $4.91 million, and the average cost of a ransomware attack (excluding the ransom price) is $4.54 million. On top of this, there is the loss of customer trust, reputation, market value, and regulatory fines.
Download the Osterman Research Report, “The Business Cost of Phishing,” to see how phishing is impacting businesses, what threats IT and Security leaders are concerned about, and insights into the evolving threat landscape.