IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

US companies lose $14.8 million annually to phishing attacks

But business email compromise (BEC) and ransomware attacks remain the most expensive threats

Fishing hook attached to an "at" symbol

Phishing costs have almost quadrupled over the past six years as major US organizations lose an average of $14.8 million annually to the attacks, according to a new report.

The new study by Ponemon Institute found that the most expensive threats to businesses include business email compromise (BEC) and ransomware attacks. However, in BEC attacks, payments to hackers made up less than 20% of the total costs.

The survey of IT security practitioners found loss of productivity was one of phishing’s costliest outcomes. In an average-sized US corporation of 9,567 people, this translates to 65,343 wasted hours every year. Each employee loses an average of seven hours annually due to phishing scams, an increase from four hours in 2015, according to the study.

The Cost of Phishing report also found that the costs for resolving malware infections have more than doubled since 2015. The average total cost to resolve malware attacks is $807,506 in 2021, an increase from $338,098 in 2015.

BEC costs organizations an average of $5.96 million annually — only $1.17 million of that are payments organizations make to BEC attackers. The report added that BEC attacks could result in losses of up to $157 million from business disruptions if organizations aren’t prepared. Malware resulting in data exfiltration could cost businesses $137.2 million.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

The report also found the average cost of ransomware last year was $5.66 million, and 17.6% of those attacks stemmed from phishing. The report said employee training and awareness programs on the prevention of phishing attacks can reduce costs. According to the research, the average annual cost of phishing scams is $14.8 million, an increase from $3.8 million in 2015.

The survey also found that credential compromises have increased, forcing organizations to spend more to respond to these attacks. The average cost to contain phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021. Organizations are experiencing an average of 5.3 compromises over the past 12-month period, the report said.

Ryan Kalember, executive vice president of cyber security strategy at Proofpoint, said with threat actors now targeting employees instead of networks, credential compromise has exploded, “leaving the door wide-open for much more devastating attacks like BEC and ransomware.”

“Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue,” Kalember added.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022