The top 10 costs of phishing have all jumped significantly in 2021, sometimes by orders of magnitude. The total cost of phishing has more than tripled since 2015 according to the Ponemon Institute’s Cost of Phishing study. In 2021, phishing attacks dramatically increased with threat actors taking advantage of new vulnerabilities and opportunities opened up by the pandemic-driven global mass migration to remote work and the cloud.
The total global cost of phishing attacks—emails laced with malicious payloads hidden within links and attachments—is complex, far-reaching, and incredibly high. These top 10 costs of phishing attacks give a sense of how interconnected and unexpected the financial fallout of phishing attacks actually is on global businesses, individuals, and organizations.
The most recent projections performed by the Ponemon Institute reports the average loss by companies to phishing in 2021 is $14.8 million, more than triple what it was in 2015. That translates to hundreds of billions of dollars in total losses from phishing attacks to global businesses.
Cyber Ventures reports that ransomware, the most notorious villain of 2021, will ultimately cost global businesses $20 billion in 2021, jumping 5-fold from $4 billion in 2017 (and 15-fold since 2015). They project the ransomware price tag will swell to $265 billion by 2031. Other reports by Cyber Ventures say that total global cybercrime (beyond just phishing) costs businesses and individuals $6 trillion (yes, trillion) annually. Phishing factors prominently into that figure.
These escalating costs are already having major consequences on the way businesses operate and manage risk.
Here below are the top 10 costs of phishing, both direct and indirect.
1. Business Email Compromise (BEC)
BEC is this attack’s official name as designated by the FBI, but it is also known as Email Account Compromise, Wire Transfer Fraud, and CEO Fraud because the scam often begins with someone posing as the CEO and ends with a fraudulent direct transfer of funds. The target can be anyone at the executive level. It’s hit private individuals, governments, companies, and celebrities alike. The FBI’s 2020 IC3 report, released in March 2021, reports BEC swindles organizations out of more money than any other form of cybercrime, by far. The FBI received 19,369 complaints with a reported $1.8 billion in losses in America due to BEC in 2020 (although it's important to note that these are reported losses, and the vast majority of losses and breaches go unreported to the FBI). The Ponemon Institute reported the average total cost of BEC attacks to companies was $5.96 million, with maximum losses topping $8.12 million.
2. Credential compromises
This may occur when someone clicks on a link and is redirected to a malicious credential harvesting site that tricks them into entering sensitive data, such as passwords and account numbers. The Ponemon Institute reports that the average costs of credential compromises that are not contained (meaning they weren't identified and dealt with before being executed) have more than doubled to$2.1 million in 2021 since 2015, and continue to rise. These attacks are extremely simple to execute; they are common and high-volume attacks. With organizations reporting 5.3 credential comprises on average over the past 12 months, their numbers are mushrooming, and companies are, as a result, spending nearly $700,000 on average to catch and contain them.
The average total cost to resolve malware attacks is $807,506 in 2021, more than doubling 2015’s $338,098. Costs from uncontained malware have more than doubled from an average of $3.1 million to $5.3 million. Malware comes in all shapes and sizes, and can have some very troubling effects. For example, the latest incarnation of the Emotet botnet, the undead king of malware, is potentially one of today's main ransomware super spreaders.
Ransomware is a form of malware that encrypts data in computer systems until a ransom is paid for an encryption key that will unlock them for data retrieval or re-starting operations. Many ransomware attacks begin with an email component. The average ransomware payment in H1 2021 jumped 82% from 2020 to $570,000, but ransom demands are prorated to the size of victims' bank accounts. Big players pay big bucks to get their systems back. It’s unknown what Kaseya paid to resolve their massive ransom attack in July, but Colonial Pipeline paid 75 bitcoin, or $4.4 million to get its oil distribution back online, and JBS paid $11 million to resolve an attack that halted operations for the largest meat producer in America. The US pays the most for ransomware of any other country. The upward trend of ransomware demands and payouts is what is most startling.
According to the 2021 Unit 42 Ransomware Threat Report: The average ransom paid for organizations increased from US$115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase. Additionally, the highest ransom paid by an organization doubled from2019 to 2020, from $5 million to $10 million. Meanwhile, cybercriminals are getting greedy. From 2015 to 2019, the highest ransomware demand was $15 million. In 2020, the highest ransomware demand grew to $30 million.
5. Employee productivity
The indirect cost of lost productivity due to a phishing attack has ballooned from $1.8 million in 2015 to $3.2 million per company on average in 2021. Social engineers target employees with their phishing attacks, so the tidal rise of email attacks and breaches during the pandemic has hamstrung many workers involved in a breach. (Some of whom lose even more productivity by being forced into a draconian punishment like extra training and a phishing jail).
6. Mental health and wellbeing
People can lose sleep, confidence, focus, and even their jobs over an email breach. The consumer group, Which? calculated total wellbeing cost due to fraud, much of which the study acknowledged stemmed from online attacks, at $12.26 billion (the UK study reported 9.3 billion GBP).
7. Brand damage and PR
The financial impact of losing consumer trust can be anywhere from bad to catastrophic, particularly in industries where sensitive data is routinely handled, such as banking and healthcare. Companies spend significant sums to repair their image and convince their customers that it’s safe to do business with them.
8. Legal& regulatory
Legal costs and liability for partners and customers affected by a breach is sizable (again, Kaseya’s breach affected hundreds of companies), and regulatory fines are becoming increasingly stringent. Legal hours could range from dozens to thousands of hours to solve a lawsuit or regulatory dispute, at a clip of hundreds to over a thousand dollars/hour. Regulatory penalties, meanwhile, can be especially stiff in certain industries like healthcare.
The cyber insurance industry is in a state of profound disruption, owing largely to the explosion in ransomware. While 2021’s ransomware mega-breaches have grabbed headlines (Kaseya, JBS, and Colonial Pipeline to name a few), the untold story has been that the total financial impact of cybercrime—especially the types that involve employees and can thus be mitigated with better awareness--on insurers has pushed the industry over the brink of profitability. Premiums have skyrocketed (often doubling) and coverage has shriveled (by at least half) as 2021 put cyber insurance into the red. This is having a dramatic impact on corporate bottom lines for preventing and paying for cyber breaches. Moreover, premiums may significantly rise after a cyber breach.
10. Security budget and prevention
Security budgets and preventive measures are getting higher as cybersecurity has clearly become a central pillar to overall risk management. It’s no longer separate. As insurance becomes harder to get and more expensive, companies will be forced to spend more money to prevent breaches.
At Hoxhunt, we’ve seen dramatic reductions in true risk of a phishing attack breach with the introduction of risk-based (not just compliance-based) awareness training. Even though Hoxhunt threat simulations are designed to get more difficult as employees progress through the training program,fail rates typically fall by 60 – 85% within a few months, dropping from as high as 30% as at IGT, to typically between 2-6%.
Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.