IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

US companies lose $14.8 million annually to phishing attacks

But business email compromise (BEC) and ransomware attacks remain the most expensive threats

Fishing hook attached to an "at" symbol

Phishing costs have almost quadrupled over the past six years as major US organizations lose an average of $14.8 million annually to the attacks, according to a new report.

The new study by Ponemon Institute found that the most expensive threats to businesses include business email compromise (BEC) and ransomware attacks. However, in BEC attacks, payments to hackers made up less than 20% of the total costs.

The survey of IT security practitioners found loss of productivity was one of phishing’s costliest outcomes. In an average-sized US corporation of 9,567 people, this translates to 65,343 wasted hours every year. Each employee loses an average of seven hours annually due to phishing scams, an increase from four hours in 2015, according to the study.

The Cost of Phishing report also found that the costs for resolving malware infections have more than doubled since 2015. The average total cost to resolve malware attacks is $807,506 in 2021, an increase from $338,098 in 2015.

BEC costs organizations an average of $5.96 million annually — only $1.17 million of that are payments organizations make to BEC attackers. The report added that BEC attacks could result in losses of up to $157 million from business disruptions if organizations aren’t prepared. Malware resulting in data exfiltration could cost businesses $137.2 million.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

The report also found the average cost of ransomware last year was $5.66 million, and 17.6% of those attacks stemmed from phishing. The report said employee training and awareness programs on the prevention of phishing attacks can reduce costs. According to the research, the average annual cost of phishing scams is $14.8 million, an increase from $3.8 million in 2015.

The survey also found that credential compromises have increased, forcing organizations to spend more to respond to these attacks. The average cost to contain phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021. Organizations are experiencing an average of 5.3 compromises over the past 12-month period, the report said.

Ryan Kalember, executive vice president of cyber security strategy at Proofpoint, said with threat actors now targeting employees instead of networks, credential compromise has exploded, “leaving the door wide-open for much more devastating attacks like BEC and ransomware.”

“Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue,” Kalember added.

Featured Resources

Mastering retention

Turning user behaviour insights into retention strategies

Free Download

Dell PowerEdge with AMD

IT applications and infrastructure are the prime catalyst for new revenue creation

Free Download

Building for success with off-premises private cloud

Leveraging co-location facilities to execute your cloud strategy

Free Download

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Free Download

Recommended

The future of work is already here. Now’s the time to secure it.
Whitepaper

The future of work is already here. Now’s the time to secure it.

21 Sep 2022
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

2 Sep 2022
Escape the ransomware maze
Whitepaper

Escape the ransomware maze

23 Aug 2022
Cyber resiliency and end-user performance
Whitepaper

Cyber resiliency and end-user performance

17 Aug 2022

Most Popular

46 US states call for Meta monopoly lawsuit to be reinstated
mergers and acquisitions

46 US states call for Meta monopoly lawsuit to be reinstated

20 Sep 2022
Anonymous hacks Iranian government and state broadcasters
cyber attacks

Anonymous hacks Iranian government and state broadcasters

22 Sep 2022
Why collaboration is key to digital transformation
Sponsored

Why collaboration is key to digital transformation

13 Sep 2022