Understanding the Business Costs of Phishing Attacks

This syndicated post originally appeared at Zeus Kerravala, Author at eWEEK.

Phishing attacks continue to plague companies, consuming massive amounts of IT staff time.

Phishing attacks—where hackers try to collect personal information using deceptive emails and links—continue to impact organizations of all sizes.

It’s been well documented that phishing as an attack vector has exploded over the past several years. SlashNext reported that over the first six months of 2022, there were over 255M attacks, a 61% increase in the rate of phishing attacks compared to 2021.

What is often overlooked is the total cost to a business. Such attacks require a great deal of time and energy from IT and security teams, which, on average, spend approximately 28 minutes dealing with a single phishing email at a cost of about $31 per message.

The findings come from a new report conducted by IRONSCALES and Osterman Research, surveying 252 IT and security professionals in the U.S. The report, The Business Cost of Phishing, uncovered that IT and security teams typically spend one-third of their time handling phishing threats weekly. For 70 percent of organizations, dealing with a single phishing email takes 16 to 60 minutes.

Dealing with Phishing: Like Finding a Needle in a Haystack

As the attack occurs, IT is looking for the message and reading the headers on the message, explained Ian Thomas, VP of product marketing at IRONSCALES. “If there’s an attachment, they’re running it through a sandbox to see if it’s malicious. Once IT realizes phishing is involved, they look for it in other mailboxes—potentially hundreds of mailboxes. When they find it, all the messages have to be pulled out. This requires a lot of investigating and takes roughly a half hour every single time.”

In addition to spending a lot of time on phishing-related activities, organizations have to pay a higher salary to every IT or security professional that handles phishing. According to the data, an organization with five IT and security professionals is currently paying $228,630 in annual salary and benefits to handle phishing. An organization with 10 IT and security professionals is paying $457,260 per year, and an organization with 25 IT and security professionals is currently paying $1,143,150 per year.

Phishing Attacks: Increasingly Challenging

Phishing is an increasingly sophisticated form of cyberattack that’s becoming more prevalent and better at evading detection. Most of the IT and security professionals surveyed in the report expect the volume of phishing attacks to increase over the next 12 months. As the attacks become more complex and damaging, organizations will spend more time and money on mitigating them.

Eighty percent of organizations feel the dynamics of phishing have worsened or remained the same over the past year. These dynamics include the number of phishing attacks, their sophistication, and their ability to bypass current detection mechanisms.

For example, hackers are using adaptive techniques or polymorphic attacks that slightly alter each phishing message, which decreases the likelihood of a message being flagged as a phishing scam.

Targeting Vulnerable End Users

The most common way phishing attacks are carried out is by tricking an email recipient into believing that the message they received is from a trusted source, such as a bank, a friend, or a fellow employee.

Hackers can obtain account credentials from earlier phishing messages or purchase the credentials on the dark web. The messages are sent from an organization’s own email infrastructure, which means they are likely to bypass detection.

Any messaging platform where two-way communication takes place is now a target for phishing attacks, said Thomas. Social media platforms like Facebook, LinkedIn, and Instagram are the most common ones, but Webex and Zoom users are also at risk. Hackers with employee credentials can take over a legitimate account and disguise themselves as the account holder to contacts, who receive phishing links and attachments directly in these apps.

Social Media in the Crosshairs

The report identified a worrying trend, where phishing attacks are spreading beyond email. According to the respondents, they’re seeing phishing attacks in messaging apps like:

  • WhatsApp, Telegram, and Snapchat (57%)
  • Cloud-based file sharing platforms like Dropbox and Google Drive (50%)
  • Text messaging services (49%)
  • Social media and direct messages (44%)
  • Video conferencing platforms like Zoom, Webex, and Google Meet (43%)
  • Collaboration platforms like Microsoft Teams and Slack (40%)

The number of phishing attacks is only expected to grow over the next 12 months. Therefore, organizations should prepare by revamping their cybersecurity tactics to include more robust solutions that can detect and stop phishing attacks—even advanced polymorphic and nested threats—and safeguard their communication and collaboration apps, not just email.

In the report, IRONSCALES recommends creating awareness among employees through surveys and training materials, so they can identify phishing scams. Organizations can use phishing simulation and training exercises to help employees understand various phishing techniques. For organizations that have a bring your own device (BYOD) policy, it should be revised to include guidance on text-based phishing scams.

IRONSCALES also recommends using the principle of least privilege access to reduce the attack surface. Even if an employee’s account gets compromised, their access will be restricted only to their job functions and duties. Taking these important steps can help organizations educate their employees and mitigate potential attacks.

Author: Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.