The Cost of Phishing For Businesses

Since the beginning of the email, cybercriminals have used phishing emails as a gateway to gaining access to sensitive information. Unfortunately, there are no signs of phishing attacks slowing down as it is a lucrative business that profits from various activities such as direct ransomware attacks. Everyone knows there’s a financial cost associated with phishing attacks (that often lead to ransomware), but there’s so much more at stake than just the big payout.

The increase in phishing attempts takes a toll on organizations and their teams tasked with defending users against these attacks. Successful phishing has led threat actors to offer Phishing-as-a-Service scams that bypass most spam filters for $1,500. Let’s discuss the financial costs an attack can have on a business, as well as the three business costs of phishing protection and how you can ensure the safety of your business.

The Cost of Phishing Protection for Businesses

The increase in phishing attempts takes an expensive toll on organizations and their teams tasked with defending users against these attacks. The three types of costs to business include:

The Time Cost of Phishing Defense

Dealing with phishing emails is time-consuming as well as energy-depleting and distracting for team members who could be focusing on other projects. Market intelligence company Osterman recently determined that IT and security teams on average spend 27.5 minutes handling a single phishing email, and 70% of organizations spend 16-60 minutes from discovery to removal of the threat. One-third of working hours each week are spent handling phishing-related activities and 67% of employees expect the time spent mitigating phishing risks each week to stay the same or increase, increasing the financial costs of handling these threats. 

The Financial Cost of Phishing Defense 

Threat actors invest money into phishing schemes to increase the volume of messages and the odds of a successful campaign. This means that dealing with phishing messages becomes financially expensive for organizations. Discovering and mitigating a single phishing email costs $31.32, which increases exponentially as the volume of phishing messages increases.

Nearly one-third of your staff’s time each week is spent handling phishing threats equates to $45,726 in salary and benefits paid per IT and Security professional. An IT and security team of 10 costs around $457,260 per year on labor to handle phishing threats. 

The Cost of Doing Nothing 

The average cost of a data breach with phishing as the initial attack vector is $4.91 million, and the average cost of a ransomware attack - excluding the ransom price -  is $4.54 million. This doesn’t include the loss of customer trust, reputation, market value, and regulatory fines. 

Most employees of corporate staff are trained to recognize emails that are potentially malicious, which has caused cybercriminals to pivot to more problematic and evasive tactics to ensure success.

How Attacks Are Delivered

Phishing is a popular threat that continues to grow more widespread every year. Cybersecurity threat trends suggest that at least one person clicked a phishing link in around 86% of organizations with phishing accounting for around 90% of data breaches. As the attacks become more complex and damaging, organizations will spend more time and money on mitigating them.

Hackers use adaptive techniques or polymorphic attacks that slightly alter each phishing message, effectively decreasing the likelihood the message will be flagged as a phishing scam.

Avoid Phishing Emails

Being aware of some basic email security tips and best practices for recognizing and avoiding phishing emails is a critical part of protecting sensitive information and preventing attacks. Some basic tips include: 

• Check for spelling and grammatical errors, which are a key indication that an email may be a phishing attempt. Also, keep an eye out for suspicious subject lines and signatures.
• Don’t trust the display name. Just because an email says it’s from a known and trusted sender doesn’t necessarily mean it really is. Even if the email address is legitimate, the message could be coming from a compromised account.
• Evaluate the salutation. Is the greeting vague or general? Does the tone sound suspicious coming from the person the email is supposed to be from?
• If an email appears strange in any way, make a phone call to the sender to confirm the legitimacy of the email prior to interacting with it.
• If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than simply hitting reply.
• Scan all attachments for viruses, malware, or other dangerous code.
• Verify shared links to ensure that they do not lead to fraudulent websites or malicious code.
• Beware of urgency. Phishing emails often try to convince recipients to act quickly, without thinking things through.
• Take adequate time to evaluate each email you receive before clicking on links or downloading attachments.

With proper preparation, you can drastically lower the cost and impact of an attack. Implementing even stronger practices can reduce an organization’s exposure to email threats and minimize potential damage. Many businesses continue to make the mistake of relying on endpoint security alone to safeguard users and key business assets, despite this approach being ineffective in combating sophisticated and evolving threats. 

A capable email security solution requires additional layers of proactive protection accompanied by expert, ongoing system monitoring, maintenance, and support. This protection must be able to anticipate and learn from emerging attacks and offer the real-time cybersecurity business insights required to improve decision-making and policy enforcement. 

Email Scam Costs Construction Company $800K

In the summer of 2022, authorities seized more than $800,000 from a bank account in Houston controlled by people accused of using online scams to defraud a construction management company, according to U.S. Attorney Alamdar Hamdani.

The U.S. Attorney's Office filed a civil complaint in late January that alleges that one or more unidentified perpetrators used phishing attacks or malware to gain access to the company email servers and accounts of the construction company in order to collect payments they owed to an engineering company the company was working with on a railway expansion project in California.

The hackers identified the construction company employees that were responsible for financial dealings and sent them emails from a fake address posing as an employee of the engineering company. Soon after, the construction management company was tricked into sending money to the Houston bank account controlled by the conspirators, according to officials.

According to the complaint, the bank account was posing as " H&H Engineering Construction Inc.," the name of a California -based rail maintenance and construction contractor. The attackers used a business email compromise scheme to compromise and copy legitimate business email accounts and use them to claim wire payments from legitimate transactions. From October 2013 to July 2019, there were over 69,000 such schemes in the U.S. accounting for more than $10 billion in losses, according to the FBI.

Keep Learning About Phishing Prevention

The number of phishing attacks continues to increase and plague businesses of all sizes, making it imperative that your organization is prepared in the event of an attack. Implementing a comprehensive email security system can help prevent advanced threats, such as targeted spear phishing, and ransomware.

• Learn more about effectively protecting your business from ransomware.
• Improve your email security posture to protect against attacks by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.