IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

US companies lose $14.8 million annually to phishing attacks

But business email compromise (BEC) and ransomware attacks remain the most expensive threats

Fishing hook attached to an "at" symbol

Phishing costs have almost quadrupled over the past six years as major US organizations lose an average of $14.8 million annually to the attacks, according to a new report.

The new study by Ponemon Institute found that the most expensive threats to businesses include business email compromise (BEC) and ransomware attacks. However, in BEC attacks, payments to hackers made up less than 20% of the total costs.

The survey of IT security practitioners found loss of productivity was one of phishing’s costliest outcomes. In an average-sized US corporation of 9,567 people, this translates to 65,343 wasted hours every year. Each employee loses an average of seven hours annually due to phishing scams, an increase from four hours in 2015, according to the study.

The Cost of Phishing report also found that the costs for resolving malware infections have more than doubled since 2015. The average total cost to resolve malware attacks is $807,506 in 2021, an increase from $338,098 in 2015.

BEC costs organizations an average of $5.96 million annually — only $1.17 million of that are payments organizations make to BEC attackers. The report added that BEC attacks could result in losses of up to $157 million from business disruptions if organizations aren’t prepared. Malware resulting in data exfiltration could cost businesses $137.2 million.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

The report also found the average cost of ransomware last year was $5.66 million, and 17.6% of those attacks stemmed from phishing. The report said employee training and awareness programs on the prevention of phishing attacks can reduce costs. According to the research, the average annual cost of phishing scams is $14.8 million, an increase from $3.8 million in 2015.

The survey also found that credential compromises have increased, forcing organizations to spend more to respond to these attacks. The average cost to contain phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021. Organizations are experiencing an average of 5.3 compromises over the past 12-month period, the report said.

Ryan Kalember, executive vice president of cyber security strategy at Proofpoint, said with threat actors now targeting employees instead of networks, credential compromise has exploded, “leaving the door wide-open for much more devastating attacks like BEC and ransomware.”

“Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue,” Kalember added.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Twilio account breach result of sophisticated social engineering campaign
Security

Twilio account breach result of sophisticated social engineering campaign

9 Aug 2022
Over 200,000 DrayTek routers vulnerable to total device takeover
Security

Over 200,000 DrayTek routers vulnerable to total device takeover

3 Aug 2022
Data on 69 million Neopets users stolen and listed for sale on hacker forum
Security

Data on 69 million Neopets users stolen and listed for sale on hacker forum

21 Jul 2022
What is zero trust?
network security

What is zero trust?

14 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022