The average cost of phishing for large US organizations has soared by 289% over the past six years, with firms now losing nearly $15m annually, according to Proofpoint.
The security vendor commissioned the Ponemon Institute to poll nearly 600 IT and IT security practitioners to compile its latest Cost of Phishing study.
It revealed that the average large US organization loses $14.8m per year to phishing-related cybercrime, up from $3.8m in 2015 and calculated at $1500 per employee.
Phishing for credentials is a common starting point for ransomware and Business Email Compromise (BEC). The study claimed that ransomware costs large organizations $5.7m annually, while BEC accounts for $6m.
However, although these are average figures, they could rapidly escalate in some circumstances. Companies including Cognizant, Sopra Steria and Norsk Hydro have all suffered losses in the tens of millions of dollars following ransomware incidents. The FBI recorded total BEC losses of $1.8 billion from reported incidents in 2020.
Ponemon Institute founder Larry Ponemon warned firms that the cost of a ransomware attack could amount to much more than the initial pay-out to threat actors.
“What we found is that ransoms alone account for less than 20% of the cost of a ransomware attack,” he explained. “Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”
According to Proofpoint, the cost of resolving malware infections has doubled since 2015, from $338,098 to $807,506.
Yet, it’s not just infections that can eat into profits. The report claimed that the average cost to contain initial credential phishing compromises increased from $381,920 in 2015 to $692,531 in 2021 — with companies typically experiencing over five of these incidents each year.
“Because threat actors now target employees instead of networks, credential compromise has exploded in recent years, leaving the door wide-open for much more devastating attacks like BEC and ransomware,” said Ryan Kalember, EVP of cybersecurity strategy at Proofpoint.
“Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue.”