Lost productivity & mopping up after the costly attacks that follow phishing – BEC & ransomware in particular – eat up most costs, not payouts to crooks.
Research shows that the cost of phishing attacks has nearly quadrupled over the past six years: Large U.S. companies are now losing, on average, $14.8 million annually, or $1,500 per employee.
That’s up sharply from 2015’s figure of $3.8 million, according to a new study from Ponemon Institute that was sponsored by Proofpoint.
According to the study, released Tuesday, phishing leads to some of the costliest cyberattacks.
One of the most expensive threat types is business email compromise (BEC). BEC costs ramped up significantly in 2020, with more than $1.8 billion stolen from organizations as cybercrooks launch ever slicker attacks, either impersonating someone inside an organization or masquerading as a partner or vendor in order to pull off financial scams.
One of the other most expensive attacks is ransomware, as experts have tracked skyrocketing ransom costs.
But what businesses shell out for extortion payments in ransomware attacks or what gets jimmied out of them in fraudulent BEC wire transfers are both just portions of the true costs of phishing attacks, according to the study, titled The 2021 Cost of Phishing.
“When people learn that an organization paid millions to resolve a ransomware issue, they assume that fixing it cost the company just the ransom. What we found is that ransoms alone account for less than 20 percent of the cost of a ransomware attack,” said Larry Ponemon, chairman and founder of Ponemon Institute, in a press release. “Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”