How much does phishing really cost businesses?

The true cost of phishing and security breaches doesn’t just lie with the cost of the actual breach itself.

Post hero image

Table of contents

The true cost of phishing and security breaches doesn’t just lie with the cost of the actual breach itself. In an enlightening report posted recently by Osterman, the direct cost of phishing can be extrapolated to include not only the hourly cost of a phishing attack, but also how much one phishing email can cost. It’s a fascinating—and jaw-dropping—look into the true costs of email cybersecurity. 

How the survey was conducted

The report, which was commissioned by Ironscales and conducted by Osterman, was able to figure out both the hourly cost of a phishing email and ever the per-email cost of each phishing or malicious email. They did this by interviewing 252 IT individuals in the United States. They factored in the average salary of each IT professional surveyed, and found that the total amounted to $45,726 annually. 

How much phishing emails cost in money and time spent

Each single email based attack can cost $31 in labor if the email takes up 27 minutes (the average amount of time spent on each malicious email caught by IT). The cost goes up to $85.33 per email if the length of time is increased to 60 minutes. 

70% of those surveyed said that they spent about 31 to 45 minutes dealing with each singular phishing message, and that overall the mitigation of phishing emails takes up about 1/3 of their working day.

Extrapolating that data further, Osterman found that mid-size companies with five IT professionals currently spend $228,630 yearly on email-based attacks alone. For enterprise-sized companies (i.e. ones with 25+ IT professionals), phishing can cost $1.1m annually, based on Osterman’s surveyed U.S. national average for IT professionals. 

What are the most used tactics?

Adaptive techniques: Often called 'polymorphic phishing’, adaptive phishing attacks use spoofing techniques and sometimes logo kits in order to appear very similar to existing coworkers and employee-recognised login pages. 42% of all malicious emails in 2020 used polymorphic techniques

Compromised credentials: Hackers obtain compromised credentials either through the dark web or from previously successful phishing attacks. Since these emails often originate from inside the company, it is difficult to detect malicious activity using traditional filtering software. 

Obfuscation: This amounts to hiding various keywords, code, and other miscellany within emails so that they bypass existing email security software. Techniques include but are not limited to: zero-point font, brand impersonation (which is similar to logo kit impersonation but exists solely within emails), and more. Check out an informative article from Microsoft about these new techniques here.

Attacks are not limited to email

Amongst the 252 IT professionals surveyed,

  • 57% had received phishing attempts through messaging apps such as WhatsApp, Signal, Telegram, etc
  • 50% had received phishing attempts through cloud-based sharing platforms such as Google Drive, Dropbox, etc
  • 49% had received phishing attempts through SMS or text messages
  • 44% had received phishing attempts through social media sites or apps such as Facebook, Twitter, etc 
  • 43% had received phishing attempts through video conferencing apps such as Zoom, Google Meets, etc. 
  • 40% had received phishing attempts through collaborative platforms such as Slack. 

Where does this lead?

Security and risk management leaders need to move on from relying solely on legacy security awareness programs (such as the one in-built into Microsoft 365) and start focusing more intently on building a more holistic, people-first cybersecurity culture. 


Hoxhunt's Threat Analysis Team examines tens of thousands of reported phishing emails a week and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the truly harmful ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus equipped with the habits to outsmart the latest actual threats that have outfoxed email filters, removing potentially catastrophic threats from your system. Learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this