What Is The True Cost Of A Phishing Attack?

Executive Summary: Phishing Attack Costs

     There is a high chance that your company is going to be targeted in a phishing attack

     This will cost you $3.8m on average

     Putting the correct tools in place now, at a fraction of the cost, is the best defense

How much do you think a phishing email will cost your business? The stats show that your company has a 27% chance of experiencing a serious breach in the next 2 years. And you’ve probably already received phishing emails.

The bad news is that these emails are getting more sophisticated, and the impact if one of these emails succeeds, is climbing.

It therefore makes sense to quantify the impact on your business, and plan accordingly.

Based on reported attacks in the past, and using a report issued by IBM and the Ponemon Institute, we can get a pretty good idea of what the impact of such a phishing email will be.

We’ll put a number on the cost of a successful phishing email, and look at this number across metrics such as the actual direct financial cost, reputational damage, IT overhead, and other damages.

Phishing: A Quick Refresher

A phishing email is sent to your organization. It look totally real, but is engineered by malicious criminals. It can range from a spear phishing or “whaling” attack targeting company leadership, to a malware attack sent to the organization’s freshest intern. 

The attackers could be requesting that money to be transferred to another account, or angling for confidential information, or to install malware or ransomware onto your network. These are the main forms that phishing attacks take, but they are by no means the only ones.

Actual Financial Damage of Phishing

The most obvious place to look for the financial impact of a phishing email is the amount that is taken by the fraudsters. Looking at some of the most recent attacks, the amount of money stolen ranges from $300,000 to $11 million.

Wired reports on some of the biggest phishing attacks of 2018, where amounts stolen reached the billions. Forbes writes about a typical spear phishing attack that recently cost a Dutch cinema chain over $20m. Another typical case is tech company Ubiquiti Networks that had $46m stolen in a phishing scam.

Of course, there are other very real costs involved besides the obvious amount of money stolen. IBM reports that the average successful phishing attack costs a company like yours $3.86m (if you’re in the US, that jumps to $7.9m).

A “mega breach” will cost in the region of $350m, and the damage could spiral into the billions.

Other factors to take into account include:

     Customers leaving as a result of the breach

     Per the IBM report, organizations that lost less than 1% of their customers due to a data breach, experienced an average total cost of $2.8 million.

     If 4% or more of a customer base is lost, the average total cost jumps to $6 million

     Expect around 5% abnormal churn after a data breach

     Drop in new customers

     Potential new customers are much more likely to avoid a company who has had a breach

     Questioning other aspects of your offering

     If you can’t keep my data safe...

     Loss in consumer confidence

     It often takes over 200 days to actually realize there’s been a breach

     Regulatory risk (breaching laws)

     Just the notification costs of a data breach are estimated at $740,000

     Post-breach response costs are estimated at $1.76m

     This includes legal costs, setting up call centers to deal with queries relating to the breach, investigations, product discounts and so on

     Loss of Business Continuity

     What would be the cost to your business if you were shut out of all your computers for a week, or even suddenly for a day?

Other Impacts

After a phishing attack or data breach, a tremendous amount of effort, time, and money is required to deal with the damage.

Per IBM, immediately following a phishing attack, companies will typically:

     Conduct investigations and forensics to determine the root cause of the data breach

     Determining the probable victims of the data breach

     Organize the incident response team

     Conduct communication and public relations outreach

     Prepare notice documents and other required disclosures to data breach victims and regulators

     Implement call center procedures and specialized training

Afterwards, companies will have to:

     Engage audit and consulting services

     Arrange legal services for defense

     Arrange legal services for compliance

     Offer free or discounted services offered to victims of the breach

     Offer identity protection services

     Calculate lost customer business based on calculating customer churn or turnover

     Assess customer acquisition and loyalty program costs

This has a huge opportunity cost in terms of disruption to everyday business activities and lost revenues.

Reputational damage

Some of the biggest damage occurs to a company’s reputation. Equifax is now synonymous with a data breach. Hillary Clinton’s presidential bid will be remembered for the email scandal.

This has tangible results, and often has a material effect on the value of a company.

Take the case of money transfer company Xoom corporation. By falling for a phishing email, they had $30m stolen from them. Worse still, when the news broke, the company had 17% wiped off of their valuation.

IT Overhead

One of the worst affected teams when it comes to a phishing attack or data breach is the IT Team. They will be tasked with dealing with the damage (and in severe cases, blamed for the breach). Of course executives want answers immediately, no matter how difficult it is to assess what happened and what damage is ongoing.

The IT team (often together with 3rd-party consultants) will have to assess the damage, author reports, explain what happened and how it happened, and what weakness resulted in the breach occurring in the first place.

All of this of course will need to take place while they are discharging their regular responsibilities, which places a massive amount of stress on this team.

It’s Worth Being Protected

With the cost, overhead and strain placed on an organization and the individuals within it – particularly the executive and IT teams – it’s well worth investing in anti-phishing measures.

Your employees and team members are seen by most anti-phishing tools as your biggest vulnerability. At Retruster, we see them as your greatest asset. Get you employees on your side, with an interactive anti-phishing tool where they can contribute to your security.

Training too is important of course, but unfortunately even the best training cannot help in the case of sophisticated phishing emails, which seem completely legitimate to the naked eye.

You’ll need a tech solution created specifically to protect you and your organization from phishing attacks, which is what Retruster offers. Get in touch with us today, to start protecting your organization immediately.