Falling victim to a phishing attack now regularly costs businesses over $1 million -- and the financial damages are rising as organizations struggle to protect users and networks against email-based cyberattacks.
Phishing attacks are one of the most common cybersecurity threats businesses face today because cyber criminals know that employees at every level are reliant on email for communication.
According to analysis by Barracuda Networks, the average cost of the most expensive email attacks during the past 12 months amounts to a total of $1,033,066 -- and for large organizations, the average cost of the most costly attack is even higher, at $1,264,315.
Not only do the figures account for direct monetary loss, but also the cost of lost productivity and data, as well as reputational damage.
According to the report, business and financial services reported the highest cost of a phishing incident at $1.5 million. Much of this cost comes from direct monetary losses to cyber criminals -- such as from business email compromise (BEC), a type of fraud where cyber criminals pose as a trusted person and then ask for significant financial transfers.
For organizations of any kind, the cost of falling victim to ransomware can be vast, whether they pay the ransom demand -- which regularly amounts to over a million dollars -- or look to retrieve the network without giving into extortion fees. Either way, it costs money, both immediately and in the longer run.
"Email-based attacks can be the initial access point for a wide range of cyber threats, including ransomware, information stealers, spyware, crypto mining, other malware, and more," said Don MacLennan, SVP of engineering and product management for email protection at Barracuda.
"Growing awareness and understanding of email risks and the robust protection needed to stay safe will be key in keeping organizations and their employees protected in 2023 and beyond," he added.
Raising awareness plays a key role in aiding the fight against phishing and other email-based attacks, because while antivirus and email-spam protections can filter out many potential threats, cyber criminals regularly find ways of getting around these filters.
For example, BEC emails don't tend to contain malware or even attachments, so can bypass some antivirus products -- and it's natural for people to believe that an unremarkable email, that claims to be from their boss, really is from their boss.
The challenge of protecting against email-based attacks has become more difficult in recent years due to the rise of hybrid and remote working.
According to the report, companies with more than half of their employees working remotely are more likely to report monetary loss as an impact, along with higher overall recovery costs.
Much of this challenge stems from how business applications and critical data is accessed by employees via cloud software and applications -- sometimes from personal devices -- which increases the potential attack surface for cyber criminals. The report also warns that this cloud-based access can significantly delay detection, response, and recovery from cyberattacks.
To help protect users and networks against attacks, it's recommended that multiple layers of security are used, including antivirus protection, along with verification tools, such as multi-factor authentication (MFA). By using MFA, organizations can provide an added layer of defense against phishing attacks trying to steal login details.
It's also recommended that employees are warned about the threat posed by phishing attacks and are provided with proper channels through which to report suspected email attacks.