The Cost of Phishing For Businesses
- by Justice Levine

Since the first phishing email sometime around 1995, cybercriminals have used phishing emails as a gateway to gaining access to sensitive information. Unfortunately, there are no signs of phishing attacks slowing down as it is a lucrative business that profits from activities such as direct ransomware attacks.
Everyone knows there’s a financial cost associated with phishing attacks (that often lead to ransomware), but there’s so much more at stake than just paying the ransom.
The increase in phishing attempts takes a toll on organizations and their teams tasked with defending users against these attacks. Successful phishing has led threat actors to offer Phishing-as-a-Service scams that bypass most spam filters for $1,500. Let’s discuss the financial costs an attack can have on a business, as well as the three business costs of phishing protection and how you can ensure the safety of your business.
The Cost of Phishing Protection for Businesses
The increase in phishing attempts takes an expensive toll on organizations and their teams tasked with defending users against these attacks. The three types of costs to business include:
The Time Cost of Phishing Defense
Dealing with phishing emails is time-consuming, energy-depleting, and distracting for team members who could be focusing on other projects. Market intelligence company Osterman recently determined that IT and security teams, on average, spend 27.5 minutes handling a single phishing email, and 70% of organizations spend 16-60 minutes from discovery to removal of the threat. One-third of working hours each week are spent handling phishing-related activities, and 67% of employees expect the time spent mitigating phishing risks each week to stay the same or increase, increasing the financial costs of running these threats.
The Financial Cost of Phishing Defense
Threat actors invest money into phishing schemes to increase the volume of messages and the odds of a successful campaign. This means that dealing with phishing messages becomes financially expensive for organizations. Discovering and mitigating a single phishing email costs $31.32, which increases exponentially as the volume of phishing messages increases.
Nearly one-third of your staff’s time each week is spent handling phishing threats equates to $45,726 in salary and benefits paid per IT and Security professional. An IT and security team of 10 costs around $457,260 per year on labor to handle phishing threats.
The Cost of Doing Nothing
The average cost of a data breach with phishing as the initial attack vector is $4.91 million, and the average cost of a ransomware attack - excluding the ransom price - is $4.54 million. This doesn’t include the loss of customer trust, reputation, market value, and regulatory fines.
Most corporate staff employees are trained to recognize potentially malicious emails, which has caused cybercriminals to pivot to more problematic and evasive tactics to ensure success.
How Are Attacks Delivered?
Phishing is a prevalent threat that continues to grow more widespread every year. Cybersecurity threat trends suggest that at least one person clicked a phishing link in around 86% of organizations, with phishing accounting for about 90% of data breach. As the attacks become more complex and damaging, organizations will spend more time and money mitigating them.
Hackers use adaptive techniques or polymorphic attacks that slightly alter each phishing message, effectively decreasing the likelihood the message will be flagged as a phishing scam.
How Can I Avoid Phishing Emails?
Awareness of essential email security tips and best practices for recognizing and avoiding phishing emails is critical to protecting sensitive information and preventing attacks.
With proper preparation, you can drastically lower the cost and impact of an attack. Implementing even stronger practices can reduce an organization’s exposure to email threats and minimize potential damage. Many businesses rely on endpoint security to safeguard users and critical business assets, despite this ineffective approach in combating sophisticated and evolving threats.
A capable email security solution requires additional layers of proactive protection accompanied by expert, ongoing system monitoring, maintenance, and support. This protection must anticipate and learn from emerging attacks and offer real-time cybersecurity business insights to improve decision-making and policy enforcement.
Email Scam Costs Construction Company $800K
In the summer of 2022, authorities seized more than $800,000 from a bank account in Houston controlled by people accused of using online scams to defraud a construction management company, according to U.S. Attorney Alamdar Hamdani.
The U.S. Attorney's Office filed a civil complaint in late January that alleges that one or more unidentified perpetrators used phishing attacks or malware to gain access to the company email servers and accounts of the construction company to collect payments they owed to an engineering company the company was working with on a railway expansion project in California.
The hackers identified the construction company employees responsible for financial dealings and sent them emails from a fake address posing as an engineering company employee. Soon after, according to officials, the construction management company was tricked into sending money to the Houston bank account controlled by the conspirators.
According to the complaint, the bank account was posing as " H&H Engineering Construction Inc.," the name of a California -based rail maintenance and construction contractor. The attackers used a business email compromise scheme to compromise and copy legitimate business email accounts and use them to claim wire payments from legitimate transactions. According to the FBI, from October 2013 to July 2019, there were over 69,000 such schemes in the U.S., accounting for more than $10 billion in losses.
Keep Learning About Phishing Prevention
The number of phishing attacks continues to increase and plague businesses of all sizes, making it imperative that your organization is prepared for an attack. Implementing a comprehensive email security system can help prevent advanced threats, such as targeted spear phishing and ransomware.
- Learn more about effectively protecting your business from ransomware.
- Improve your email security posture to protect against attacks and breaches by following our email security tips.
- Keeping the integrity of your email safe requires securing your email cloud with spam filtering and enterprise-grade anti-spam services.
- Avoid phishing attacks and ransomware with tips from our Behind the Shield newsletter.
Must Read Blog Posts
- Demystifying Phishing Attacks: How to Protect Yourself in 2023
- What You Need to Know to Shield Your Business from Ransomware
- Shortcomings of Endpoint Security in Securing Business Email
- Microsoft 365 Email Security Limitations You Should Know in 2023
- Email Virus - Complete Guide to Email Viruses & Best Practices
- How Phishing Emails Bypass Microsoft 365 Default Security
Phishing Is Evolving
Latest Blog Articles
- How To Spot A DocuSign Scam Email
- What To Do If Your Business Email Gets Hacked
- Why Do Over 90% of Cyberattacks Begin with an Email?
- FBI: The 2020 Presidential Election Is Under Attack by Email Scammers
- Why Is Machine Learning (ML) Beneficial in Security?
- What Is a Cyberattack?
- Cyber Risk Is On the Rise: How To Ensure Preparedness
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Revolutionizing Email Security: The Evolution of EnGarde Secure Linux to EnGarde Cloud Email Security
- Open Source Utilization in Email Security Demystified