Phishing is a technique to steal employees’ account credentials or other sensitive information. Attackers frequently use a frightening message to encourage their target to ignore their better judgment and click a link or download a file.
Organizations must pay significant money for every phishing attack to clean and repair infected systems and contain phishing-based credential compromises. But those are not the only costs.
Cost of Compromises
Every company knows phishing attacks are costly, but quantifying that cost is challenging. This model does just that, allowing you to estimate the potential impact of a phishing attack on your business. The model includes several metrics, including remediation costs, brand damage, and IT overhead.
There are many phishing attacks, but the most common ones involve scams to steal money or data. This can include wire transfer fraud, ransomware, or credential compromises. Social engineering frequently brings these on, in which online thieves trick consumers into clicking on links in bogus emails that take them to harmful websites.
Another common tactic involves impersonating a trusted brand. This type of phishing is called “brand spoofing,” it often involves an urgent request for money, a fake security alert, or a password reset request.
Finally, phishing attacks can also take the form of phone calls or text messages. These often target older adults and trick them into sending their money or personal information. This is called spear phishing or whaling.
Cost of Detection
While phishing attacks are not the only source of cyber attacks, they have been responsible for some of the most significant and damaging breaches. This is particularly true for attacks that result in stolen credentials, which accounted for 19% of data breaches in 2021.
In addition to direct costs, phishing attacks also have indirect financial impacts, such as lost productivity and damage to reputation. For example, on average, organizations spend seven hours per employee annually viewing and possibly responding to phishing emails. In addition, a compromised email could cause employees to download malware, leading to losing confidential information and potential regulatory penalties.
A phishing attack can also lead to a loss of business from customers. For example, some people will avoid companies that have been hacked in the past or are known to have suffered from cyber-attacks. This can result in a significant decrease in sales and damage to a brand’s image. While some brands will recover from the damage to their reputation, it can take decades for others to rebuild trust and restore brand affinity.
Cost of Response
In addition to direct monetary losses, the cost of responding to and cleaning up after phishing attacks can be enormous. This includes sifting through logs to identify compromised data, paying ransomware demands, and dealing with reputational damage.
Depending on the target, attackers can steal anything from usernames and passwords to confidential information and malware. They can also use email as a vector for business email compromise (BEC), where criminals impersonate executives to request large financial transfers. While advances in natural language understanding and other technology have helped combat BEC, it’s essential to have a layered approach to cybersecurity.
For example, relying on one tool to protect from email threats without the help of other tools can lead to alert fatigue. SOC analysts are overwhelmed by the volume of security alerts and may miss or ignore alerts that could quickly turn into a full-scale attacks.
Another significant cost is the loss of employee productivity. It’s estimated that businesses lose 65,343 hours per year due to phishing attacks, with some employees taking up to 45 minutes to deal with each phishing email. Ultimately, this can eat into the salaries that SOC teams earn and cause them to burn out. It can also distract team members from critical projects that could make or break their company’s success.
Cost of Training
A significant cost of phishing attacks is the training required to prevent them. This includes the salaries of IT and security professionals who spend one-third or more of their workweek on phishing-related activities. It also covers the costs of employee time spent on training, IT expenses for remediation, and lost revenue due to phishing-related downtime.
In addition to the direct financial costs of a phishing attack, there are indirect costs, such as reputational damage and loss of business opportunities. Companies breached by a phishing attack can lose customers, leads, and brand affinity. They can also face a loss of market value when the news of a breach breaks.
A phishing attack is a lucrative form of cybercrime, and it’s one of the most common ways for attackers to steal usernames and passwords from employees. It can also be used to infect a computer with malware or ransomware, which can be even more costly for an organization. Combined, these can have devastating effects on a business. This is why it’s so essential for every company to implement comprehensive phishing protection that is constantly updating to keep up with the latest threats.
