Proofpoint and Ponemon Institute reveal skyrocketing phishing costs

Proofpoint and Ponemon Institute have found that average phishing costs have sored to US14.8bn annually, quadrupling since 2015.
Proofpoint and Ponemon Institute have found that average phishing costs have sored to US14.8bn annually, quadrupling since 2015.

Proofpoint and leading cybersecurity and top IT security research organization, Ponemon Institute, released a new study examining the Cost of Phishing. The report has revealed that the cost associated with phishing attacks has almost quadrupled in the last six years. As a result, large companies in the US are losing an average of US$14.8mn annually, or $1,500 per employee. This is a drastic $3.8mn increase from 2015’s figure.

The cost of phishing

Proofpoint and Ponemon Institute surveyed 600 IT and IT security practitioners in the latest study. According to those surveyed, the most expensive cybersecurity attacks are ransomware attacks and BEC. This cost is not limited to the funds demanded by the attackers, but also to the loss of productivity, and the cost of responding to attacks.

According to Proofpoint, credential compromise precedes BEC attacks and ransomware, as attackers trick or “phish” employees into sharing their login information. The Anti-Phishing Working Group (APWG) describes phishing as a crime that uses social engineering and technical subterfuge to obtain personal and financial data. However, the most concerning aspect of these threats is their growth rate, with the number of phishing attacks doubling in 2020 alone.

“When people learn that an organization paid millions to resolve a ransomware issue, they assume that fixing it cost the company just the ransom. What we found is that ransoms alone account for less than 20% of the cost of a ransomware attack,” said Larry Ponemon, Chairman and Founder of Ponemon Institute. 

“Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”

Additional key findings
  • One of the most costly outcomes of a phishing attack is the loss of productivity. According to Proofpoint, an average US company of 9,567 people will lose as much as 63,343 wasted hours each year. This equates to seven hours lost per employee per year on phishing scams, a four-hour increase from 2015.
  • The compromise of a business email costs nearly $6mn a year for a large company. $1.17mn of that figure comprises payments made to BEC attackers. 
  • Ransomware costs a large organization on average US$5.66mn. $790,000 accounts for the paid ransoms themselves. 
  • Security Awareness Training reduces phishing expenses by over 50%. 
  • The cost of resolving a malware infection has more than doubled since 2015. In 2021, the total cost to resolve a malware attack is $807,506, a sharp increase from $338,098 in 2015.
  • In addition to the cost of resolving an infection, the credential compromise costs have also increased dramatically in the last five years. Organizations are dedicating more money to respond to these attacks, and as a result, the average cost to contain phishing-based credential compromises has increased from $381,920 in 2015 to $692,531 in 2021.
  • According to Proofpoint, business leaders need to pay attention to probable maximum loss scenarios. For example, BEC attacks could incur losses from business disruptions up to $157mn is organizations are not prepared. 

“Because threat actors now target employees instead of networks, credential compromise has exploded in recent years, leaving the door wide-open for much more devastating attacks like BEC and ransomware,” said Ryan Kalember, executive vice president of cybersecurity strategy, Proofpoint. “Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue.”


About Proofpoint

Proofpoint is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies worldwide stop targeted threats, safeguard their data, and make their users more resilient against cyberattacks. Leading organizations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

How to defend against Active Directory attacks that leave no...

Amber Donovan-Stevens • 16th September 2021

Cybercriminals are using new tactics and techniques to gain access to Active Directory in novel ways, making their attacks even more dangerous—and more necessary to detect. This article will explore a few types of attacks have been seen in the wild that leave no discernable trail or, at least, any evidence of malicious activity, explains...

8th worst in Europe: Cybersecurity for UK business

Amber Donovan-Stevens • 10th September 2021

In the article, Hayley Kershaw, AdvanceFirst Technologies, analyses the data from recent research to identify successful cybersecurity practices from countries achieving the top-ranking and how, with the UK’s commitment to cybersecurity, businesses can improve.

Join our webinar on 28th September: How the digital nomad generation influences business behaviour