The total global cost of phishing attacks—emails laced with malicious payloads hidden within links and attachments—is complex, far-reaching, and incredibly high. The most recent projections performed by the Ponemon Institute reports the average loss by companies to phishing in 2021 is $14.8 million, more than triple what it was in 2015.
That extrapolates to a total cost of billions to the global economy. The price tag covers direct costs for things like ransomware payouts and fraudulent wire transfers, as well as indirect costs for things like legal hours, regulatory fees, investigations, brand damage & repair, PR activity, productivity loss, mental health damage, and more.
The cost of phishing will be felt in cyber insurance premiums
Perhaps most interestingly, phishing attacks—ransomware in particular—have imploded the cyber insurance landscape in 2021. The biggest players are no longer taking on new cyber business with current premiums no longer being profitable. Existing customers are now receiving at least half the coverage for much higher premiums. This is an underreported cost of phishing that will have incredibly far-reaching implications.
In 2021, cyber insurance became officially unprofitable for many insurers. And now, the dominoes are falling. Insurance behemoth Lloyd’s ofLondon is discouraging its syndicate from taking on new cyber business, according to a Nov. 19 Reuters article that also reported a universal halving of cyber coverage in 2021. Likewise, in August, Reuters reported that US insurance giant, AIG tightened its terms and conditions for coverage while raising premiums by over 40%.
"Insurers are changing their appetites, limits, coverage and pricing," Caspar Stops, head of cyber at insurance firm Optio, told Reuters. "Limits have halved – where people were offering 10million pounds ($13.50 million), nearly everyone has reduced to five." – Reuters
The shrinking of coverage comes in the face of surging demand. The National Association of Insurance Commissioners (NAIC) Report on the Cybersecurity Insurance Market, released Oct. 2021, reported that the cyber insurance market in the U.S. grew to roughly $4.1 billion in direct written premiums in 2020, an increase of 29.1% from the prior year. But concurrently, direct payouts for cyberattacks—especially ransomware-- exceeded premiums, with loss ratios of 24.6 % to 114.1% according to a Nov.9 report in the Insurance Journal.
Imagine a trucking company that could no longer insure its fleet. That’s the scenario many organizations are facing as they seek to do business on the information highway.
Cybersecurity Ventures projects that global spending on cybersecurity will exceed $1 trillion cumulatively over 2017-2021.
Phishing cost by the numbers
Email-originated breaches and their resulting costs have exploded since the onset of the pandemic in 2020. Many security vulnerabilities emerged with the Covid-driven mass adoption of the cloud and a rapid shift to remote work. Threat actors, being the shameless and horrible people that they are, love exploiting a crisis and have been unshy about doing exactly that. And with companies settling long-term into hybrid remote-office work models, threat actors will continue to attack people with malicious emails (and other mediums of communication, like texts and message boards) to get their hands on sensitive data.
According to the Ponemon Institute’s most recent “Cost of Phishing Study,” published in Aug. 2021, the average cost of phishing to organizations has more than tripled since 2015 to $14.8 million in 2021. Indirect costs of phishing include loss of employee productivity (which has jumped on average from $1.8 million in 2015 to $3.2 million in 2021); repairing brand damage with PR; operations disruptions, and so on.
Ransomware is often cited as the top growing concern. Ransomware is a growth industry, propelled by a sophisticated ransomware-as-a-service business model supported and shaped by a vast criminal underworld. Many recall the Big 3 ransomware attacks of 2021: Colonial Pipeline, JBS, and Kaseya. CyberVentures reports that ransomware will ultimately cost global businesses $20billion in 2021, jumping 5-fold from $4 billion in 2017 (and 15-fold since2015). They project the ransomware price tag will swell to $265 billion by2031.
Other reports by Cyber Ventures say that total global cybercrime (beyond just phishing) costs businesses and individuals $6 trillion (yes, trillion) annually.
But ransomware is far from the top cyber threat. According to the FBI, C-suite imposter attacks, usually known as BusinessEmail Compromise or CEO attacks, remain the kingpin of cybercrime. In a BEC attack, employees are tricked into transferring large sums into scam accounts for fraudulent invoices. Other forms of phishing attacks, like spear phishing and credential harvesting, also top the FBI’s list.
We’ll say it again: virtually all attacks, even ransomware, begin with an email. For example, the latest incarnation of the Emotet botnet, the undead king of malware, is potentially a ransomware super spreader.
Phishing targets people. So will the solution to phishing.
Email attacks are at the heart of the problem. Improved security awareness training is the likely core of the solution. Knowledge is power when people know how to spot a malicious email and respond correctly. Insurers recognize that and are upping their awareness requirements for companies to receive coverage and lower premiums.
In the grander scheme, risk must be globally reduced. We will have to enter a new age of security enlightenment to stabilize risk.
It’s a matter of survival on both sides of aisle. Insurers are losing on cyber insurance owing to payouts for malware, ransomware, credential harvesting, BEC / wire transfer fraud, legal action, and more: primarily due to someone clicking on a malicious link.
It can’t be stressed enough: the cost of phishing can be controlled with awareness. Prevention begins with addressing the largest risk; 90% of data breaches start with an email component. According to the Ponemon Institute’s “Cost of Phishing Study,” the average cost of phishing to companies can be cut in half with security awareness training.
At Hoxhunt, we’ve seen dramatic reductions in true risk of a phishing attack breach with the introduction of risk-based (not just compliance-based) awareness training. Even though Hoxhunt threat simulations are designed to get more difficult as employees progress through the training program, fail rates typically fall by 60 – 85% within a few months, dropping from as high as 30% as at IGT, to typically between 2-6%.