Dangerous links, dubious claims and nasty tricks: Cybercriminals repeatedly gain access to the most sensitive parts of an organization. And that can quickly become expensive: The cybersecurity company Proofpoint has presented a study on phishing attacks on US companies together with the private Ponemon Institute. While in 2015 an average damage of 3.8 million US dollars a year from phishing attacks was recorded, the 591 IT managers surveyed reported significantly increased losses of around 14.8 million dollars in 2021.
Malware, BEC and access data: This is how the phishing costs come about
The total amount presented in The 2021 Cost of Phishing Study , is made up of various factors. The calculation includes, for example, the costs of holding back malware – and the costs that arise if that didn’t work. Around 15 percent of all malware infections are due to phishing attacks; they then cost around $ 807,506. The compromise of access data is divided into the total value in a similar way.
Fraud via business email compromise (BEC, also known as CEO fraud) is also an enormous cost factor. The forged emails supposedly come from a member of the management and usually require the employees to transfer large amounts of money. About 1.17 million dollars per company on average flowed directly as payments to the undetected BEC attackers in the last twelve months. The costs incurred in the further course of such attacks would, however, be significantly higher at almost six million dollars per year.
Phishing attacks: lost time is money too
Phishing messages also mean a decrease in productivity for companies: While employees of US companies The study estimates that they spent around four hours a year with phishing emails in 2015, compared to seven hours in 2021. Financially, that will mean an average loss of $ 3.2 million in 2021 – down from $ 1.8 million in 2015. After an attack, cleaning and restoring infected systems in particular take time, while the least amount of time is spent on documentation and planning.
But what is the situation for German companies? A survey on economic protection presented by the German digital association Bitkom at the beginning of August 2021 shows: The number of companies in Germany that were affected by “digital sabotage”, for example, has increased by eleven percentage points compared to 2019; the theft of sensitive digital data and information is 19 percent more than in 2019.
The most common cyberattacks against German companies are malware, DDoS attacks and spoofing false identity, real harm. Phishing attacks result in damage in 18 percent of cases – even a slight decrease compared to 2019 (23 percent). Overall, however, attacks are now causing actual damage more often than, for example, in 2019: companies report an increase in the damage rate from 70 percent to 86 percent. According to a majority of those surveyed, the number of cyber attacks per se increased “strongly” or “somewhat” in 2020 – and most assume that this development will continue in the future.
