The Weekly Breach Breakdown: Phish of the Day – New Report on Phishing Reveals the Financial Impacts of an Attack

• According to a new report on phishing conducted by Ironscales, one phishing email takes about 27 minutes and $30 in labor costs to address. It can cost over $85 if a company takes 60 minutes to eliminate the threat.
• Researchers found that organizations spend an average of nearly $46K annually in salary and benefits per IT and security team member to handle phishing. A business with 25 team members incurs about $1.1M to handle phishing attacks.
• Some emerging characteristics identified in the phishing report include compromised logins and passwords to bypass detection and advanced techniques to hide malware.
• Individuals and businesses should be prepared for a surge in increasingly sophisticated phishing attacks. Don’t assume an email, text, meeting invitation or direct message is legitimate if you didn’t create it or expect it.
• To learn about data compromises, consumers and businesses should visit the ITRC’s improved data breach tracking tool, notified.
• If you believe you are the victim of an identity crime, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

Phish of the Day

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for October 21, 2022. Each week, we look at the most recent events and trends related to data security and privacy. This week, as Cybersecurity Awareness Month continues, we dig deeper into the statistics from the ITRC’s Q3 Data Breach Report, which we discussed last week. Specifically, phishing has been the leading cause of publicly reported data compromises for 15 straight quarters. We’re calling this episode “Phish of the Day”. That’s Phish with a ph, in recognition that there is more than one data breach each day caused by a phishing attack. These latest findings are in a report on phishing commissioned by email security firm Ironscales.

Ironscales Releases Report on Phishing

Phishing is not just a data security and privacy threat; it’s a significant cost to businesses of all sizes. Phishing-related emails cost, on average, about one-third of security teams’ available time and thousands to millions of dollars to review and remediate. One phishing email takes about 27 minutes and around $30 in labor costs to address but can cost up to a little more than $85 if a company takes 60 minutes to eliminate the threat.

Researchers found that organizations spend an average of nearly $46K annually in salary and benefits per IT and security team member to handle phishing. This cost increases exponentially depending on how many IT and security professionals an organization has. An entity with five IT and security professionals will pay about $229K in salary and benefits to handle phishing attacks. A business with 25 team members incurs significantly more costs per year — about $1.1M — to handle phishing attacks.

Combine the impacts of successful phishing incidents — such as the loss of logins and passwords, business email compromise, and data theft — and that means that about one-third of organizations classify phishing as a “threat” or “extreme threat” to their business.

Half of the survey respondents cited four emerging characteristics of phishing attacks:

• First is the use of adaptive attacks that vary each phishing message slightly to decrease the likelihood of being detected.
• Second is the use of compromised logins and passwords to bypass detection since they’re sent from the organization’s own email systems.
• Third, threat actors use advanced techniques to hide malware and malicious links to make the phishing attack appear harmless at first.
• The final trend includes expanding attacks to messaging apps and cloud-based file-sharing platforms such as Microsoft Teams and Slack.

What This Ironscales Report on Phishing Means

Individuals and businesses should be prepared for a surge in increasingly sophisticated phishing attacks. Even so, the advice remains the same: don’t assume an email, text, meeting invitation or direct message is legitimate if you didn’t originate it or expect it.

Contact the ITRC

If you want to learn how to protect your personal or business information or think you have been the victim of an identity crime, visit our website www.idtheftcenter.org. You can also speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Next week, we’ll release our second annual Business Impact Report, which looks at what happens when small businesses are victims of cyberattacks and data breaches. Be sure to join us for our sister podcast, the Fraudian Slip, when we review the findings. We will return in two weeks with another episode of the Weekly Breach Breakdown.