Study: Phishing scams cost large US companies about $15 million a year

Workers prepare a presentation of advanced e-mail at a technology trade fair March 5, 2012, in Hanover, Germany. Two vulnerabilities in open source Zimbra code could allow an unauthenticated attacker to compromise a targeted organization’s Zimbra webmail server, researchers said Tuesday. (Sean Gallup/Getty Images)

Phishing attacks cost large U.S. organizations about $15 million a year, almost tripling since 2015, according to a new report.

The Ponemon Institute surveyed 591 IT and IT security practitioners in organizations in the United States, with 44% of respondents from organizations with 1,000 or more employees. The survey, released Tuesday, was sponsored by Proofpoint.

The 2021 Cost of Phishing Study found the annual cost of phishing attacks increased from $3.8 million in 2015 to $14.8 million in 2021. The research looked at the various costs of a phishing attack, including the costs associated with fixing infected systems, loss of employee productivity and containing phishing-based credential compromises.

The costs associated with ransomware and business email compromises (BEC), however, were not available in the 2015 study. Ransomware cost companies $5.66 million on average in 2021, with the ransom accounting for $790,000. 

According to the study, BEC is a security exploit in which the attacker targets employees who have access to an organization’s funds or data. The average total cost of BEC’s exploits was $5.96 million. The average total amount paid to BEC attackers was $1.17 million.

“When people learn that an organization paid millions to resolve a ransomware issue, they assume that fixing it cost the company just the ransom. What we found is that ransoms alone account for less than 20 percent of the cost of a ransomware attack,” said Larry Ponemon, chairman and Founder of Ponemon Institute, in a statement. “Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”

Cleaning and fixing infected systems, and conducting forensic investigations were the most time-consuming tasks to resolve the attacks. The average total cost to resolve malware attacks increased from $338,098 in 2015 to $807,506 in 2021. Costs due to the inability to contain malware rose from an average of $3.1 million to $5.3 million over the same time period.

The loss of employee productivity is also among the costliest to organizations, increasing from an average of $1.8 million in 2015 to $3.2 million in 2021.

As many organizations deal with having remote and hybrid workforces, successful phishing attacks are expected to increase.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.