Phishing continues to represent not just a mainstay threat but also a significant cost to enterprises, with some large organizations with a robust IT and security staff spending $1.1 million per year to mitigate phishing attacks, new data shows.

Phishing-related security activities currently consume, on average, about one-third of the total time available to organizations' IT and security teams, according to a newly published report. A single malicious message costs organization an average of about 27 minutes and $31 in labor to mitigate, but can cost up to $85.33 if a company takes 60 minutes to eliminate the threat, researchers found.

This cost, combined with the consequences of successful phishing incidents — which include loss of account credentials, business email compromise, and data theft — means that about a third of organizations consider phishing to be either a "threat" or "extreme threat" to their businesses, researchers wrote in the report, which was commissioned by email security firm Ironscales and conducted and written by Osterman Research.

This situation is unlikely to improve anytime soon, as threat actors become even more sophisticated in how they craft phishing campaigns not only to hook enterprise workers, but also to make phishing emails harder to detect, the researchers found.

And while the shift to remote working that occurred during the pandemic lifted the burden of phishing slightly and led to a decline in this type of cybercrime activity over the 12 months previous to June 2022, the threat from phishing will soon be on the uptick again, the researchers found.

Enterprises should be on the alert and start preparing now to deal with imminent and "more sophisticated and pernicious" attacks — or expect to spend even more to handle phishing in the future, they said. "The time and cost currently expended on mitigating phishing will increase unless organizations start relying on better phishing protections," the researchers wrote.

Organizational Burden

Osterman Research surveyed 252 IT and security professionals in the United States in June 2022 for the report, asking them a range of questions about how their organizations deal with phishing and the impact it has.

Researchers attempted to quantify the actual business cost in terms of time and money spent addressing phishing that enterprises are incurring. They found that it indeed represents a significant investment that rises exponentially the more staff an organization has, and the more phishing emails a company receives.

That email cache from phishing in the current security landscape can be staggering, with some larger organizations receiving thousands of phishing emails per day, the researchers said. "Clearly, no organization has to deal with only a single phishing email," they wrote. "With several billion phishing messages sent globally every day, phishing is a significant proportion of overall email volumes."

Lost Time and Money

In terms of time, 70% of organizations surveyed said they spent 16 to 60 minutes per phishing email, representing the time from initial discovery of a potentially malicious email to complete removal from the environment, the researchers said.

On average, most organizations spend about 31 to 45 minutes to mitigate a phishing message, with 29% of respondents reporting this time frame at their respective organizations. Overall, handling phishing-related activities consumes an average of one-third of the working hours available each week for the IT and security teams at their organization, according to respondents.

Researchers also attempted to quantify the actual cost of phishing to an organization by considering a number of factors, including the roles that survey respondents play in mitigating phishing at their respective organizations, as well as their individual salaries.

What they found based on their calculations was that, on an annual basis, organizations spend, on average, $45,726 in salary and benefits paid per IT and security professional to handle phishing, they said.

This cost goes up exponentially depending on how many IT and security professionals an organization has, researchers said. An organization with five IT and security professionals is currently paying $228,630 of the annual salary and benefits paid to handle phishing, for example, while an organization with 25 IT and security professionals incurs significant more cost per year — or about $1.14 million — to handle phishing.

Evolving Tactics

To anyone who follows the security landscape, to say that threat actors who engage in phishing are getting more sophisticated is no surprise. By now, most corporate workers are already trained to recognize emails that are potentially malicious, which has spurred cybercriminals to pivot to trickier, more evasive tactics to ensure success.

Half of survey respondents cited three emerging characteristics of the phishing emails that are surfacing in the enterprise now as most worrying in terms of demonstrating these tactics.

The first is the use of adaptive techniques — also known as polymorphic attacks — which vary each phishing message slightly to decrease the likelihood of being detected as a phishing message, the researchers said. These messages "must be evaluated one by one, rather than being able to match using signatures or other known or trained identifiers," making them harder to mitigate, according to the report.

Another is threat actors' use of compromised account credentials — which are either obtained by earlier phishing attacks or purchased on the Dark Web — to hijack current email threads to send out more phishing emails. These messages also are likely to bypass detection, since they're sent from the organization’s own email infrastructure, "removing many threat signals that can be evaluated when messages originate externally," the researchers noted.

Threat actors also are using other advanced obfuscation techniques in which "payload and link threats are nested, initially presented as benign, or subsequently downloaded," which also means phishing defenses have to work harder to flag potentially malicious emails, the researchers noted.

Microsoft Teams and Slack

Another emerging trend that at least half of the survey respondents reported seeing in their environments is phishing that spreads beyond email to communication and collaboration tools. Among the most common new attack vectors are messaging apps and cloud-based file sharing platforms such as Microsoft Teams and Slack, the researchers said.

"As phishing spreads to these new tools — often driven by account credential compromise — IT and security professionals will have to spend even more time addressing threats and seeking to eradicate threat actors from their other services," the researchers said.

What all of this adds up to for the enterprise is that they should get out ahead of the expected imminent surge in phishing attacks now if they want to free up cybersecurity staff to focus on more strategic initiatives, the researchers said.

Specifically, they advised enterprises "should be looking for more capable solutions that detect and stop more phishing attacks, offer detection of advanced polymorphic and nested threats, and protect communication and collaboration tools via a holistic solution rather than being limited to protecting email only."