BEC and EAC

New Ponemon Study Finds the Annual Cost of Phishing Scams Has More Than Tripled Since 2015

Phishing email campaigns, which rely on social engineering to deceive users, are a go-to tactic for many cyber criminals. They’re easy to execute, and the potential returns can be quite lucrative. And for the organizations targeted by successful phishing attacks, the financial losses can be substantial as show below.

FY15 vs. FY21 Phishing Attack Financial Losses

Figure 1: Table Showing FY15 vs. FY21 Phishing Attack Financial Losses

The Ponemon Cost of Phishing report shows a breakdown of annual costs incurred by organizations, and the dramatic rise of costs associated with Business Email Compromise (BEC), or Email Fraud as well as Ransomware attacks

The cost of phishing scams has been rising exponentially in recent years. According to new research from Ponemon Institute, featured in the Proofpoint-sponsored report, The 2021 Cost of Phishing Study, the average annual cost of a phishing scam in 2021 is $14.8 million for a 9,600-employee organization, or slightly more than $1,500 per employee. That’s more than triple the amount in 2015, which was $3.8 million.

Various factors contributing to the rising cost of phishing

Expected Cost of Malware Attacks

Figure 2: Table Showing the Expected Cost of Malware Attacks

The cost of malware attacks uncontained represent significant risk to business leaders, with maximum losses from business disruptions and data exfiltration both exceeding $100 million annually

The inability to contain malware is one reason the cost of phishing is increasing. It represents 11% of the total cost for organizations, in fact, or about $800 thousand annually, up from ~$340 thousand in 2015, Ponemon reports. Malware that is hard to contain, as defined in the study, is malware at the device level that has evaded traditional defenses like firewalls, anti-malware software and intrusion prevention systems. Active malware attacks that involve data exfiltration and business disruption are the most difficult to contain.

Driving up the cost of phishing further is the loss of non-IT employee productivity: According to the Ponemon study, the impact of phishing scams on productivity has increased from $1.8 million in 2015 to $3.2 million this year. Employees are spending an average of about 7 hours losing time related to phishing emails —up from 4 hours three years ago.

In the study, Ponemon assumes that an average-sized organization has a headcount of 9,567 individuals with user access to corporate email systems. So, if every person is distracted by phishing scams for 7 hours per year, that means these organizations likely see more than 65,000 hours of their workers’ time wasted annually due to phishing.

The cleanup from phishing scams can also be very resource-intensive for organizations—and thus, costly. Ponemon’s research, based on survey responses from nearly 600 IT and IT security practitioners in organizations in the United States, found that the most time-consuming tasks for resolving phishing attacks are cleaning and fixing infected systems and conducting forensic investigations.

Credential Compromises Cost IT Security Teams Thousands of Hours Annually

Cost of Credential Compromises Causes by Phishing

Figure 3: Table Showing the Cost of Credential Compromises Causes by Phishing

Credential compromises are another major headache for IT and IT security practitioners, according to the Ponemon study. Over the past 12-month period, organizations experienced an average of 5.3 compromises of this nature.

Based on other research it conducted previously on the cost of credential compromise, Ponemon estimates that tech teams spend 2,050 hours investigating and responding to just one compromise. If organizations are experiencing more than five compromises annually, tech teams can expect to spend nearly 11,000 hours over the next 12 months responding to these incidents.

Ponemon’s research also found that the average cost of containing phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021. That figure represents a significant increase from 2015, as more organizations move to the cloud and work-from-home represents more difficulty for organizations looking to enhance cloud security.

Business Email Compromise (BEC), or Email Fraud is a major driver in the Cost of Phishing

Cost of BEC

Figure 4: Table Showing the Cost of BEC

The latest Cost of Phishing study also looked at the impact of Business Email Compromise (BEC) on phishing costs for organizations. BEC is a security exploit in which attackers target employees who have access to an organization’s funds or data. This is the first time the study has included BEC-specific data.

Ponemon reports that the average annual cost of phishing for BEC is $5.96 million. For business leaders there is the potential for organizations to spend over $150 million in a probable maximum loss scenario. If the risk doesn’t get leadership attention, on average the total amount paid to BEC attackers annually was $1.17 million among those surveyed.

BEC has become the costliest form of cyber crime. Learn six steps to managing this threat effectively in The Business Email Compromise Handbook from Proofpoint. Download your free copy now.

Ransomware Attacks are Spiking, and They’re Costing Organization Millions

Cost of Ransomware

Figure 5: Table Showing the Cost of Ransomware

Also new to the 2021 Ponemon study was the survey on the impacts of ransomware to an organization’s bottom line. With probably maximum losses in the tens of millions, and organizations spending millions to contain ransomware, the outlook on this old but rising threat should be sounding alarm bells at organizations.

Additionally, organizations on average spent almost $800k in direct costs to attackers to gain access to their data and systems. It’s worth noting, as we have explained before, that not all ransomware originates from email. Shutting down internet-facing RDP and patching all internet-facing appliances with vulnerabilities like VPNS, file transfer appliances, and mail servers are key actions you can take to protect your organization.

With these rising phishing costs and evolving threats gaining traction, it’s important to step back from point solutions, and think holistically about how to address all these threats.

An Integrated Approach to Threat Protection Can Drastically reduce Costs

The 2021 Cost of Phishing report projects that successful phishing attacks will continue to increase as organizations struggle to secure a growing remote workforce due to the COVID-19 pandemic.

There is a silver lining, though: Ponemon’s research suggests that if organizations invest in security training and awareness programs that help educate employees on how to prevent phishing attacks, not only can they undermine attackers’ efforts, but also reduce the cost of phishing overall.

The IT and IT security practitioners surveyed for the Cost of Phishing study were asked to estimate what percentage of phishing costs could be reduced through training and awareness programs that specifically address the risks of phishing attacks targeting the workforce. Based on their responses, Ponemon reports that the cost of phishing could be reduced by an average of more than half (53%).

Additionally, organizations need to think in layers to protect their organization. How effective is their email gateway at preventing threats that reach employees in the first place? Is there a way to remediate threats post delivery? Do organizations have DMARC authentication and fraud risk monitoring in place?

Organizations that take an integrated approach to threat protection can reduce risk of phishing, while streamlining operational costs. For instance, this Forrester Total Economic Impact™ study shows how a large healthcare system operator was able to reduce the risk of a data breach by over 50%, saving over $2 million annually. They also avoided the need for headcount through automation to save nearly $350,000 over three years.

Download the free report to learn more

Ponemon’s findings reveal that the bottom-line impacts of phishing attacks for organizations include not just money siphoned off by attackers, but also employee productivity losses, tech team burdens, and the increased likelihood of business disruption and data breaches.

To read the full findings from the Ponemon Institute study, including insight into how much ransomware attacks are costing businesses annually and more detailed data around BEC trends, download the report, The 2021 Cost of Phishing Study, today.

Subscribe to the Proofpoint Blog