Financial Losses from Phishing

Randi Sherman
June 7, 2016 by
Randi Sherman

The Cost of Data Breaches

The cost of spear-phishing attacks in 2015 averaged more than $1.5 million per incident, with only some 3% of companies getting by unscathed during an attack, while others suffered losses in the tens of millions of dollars (or in one case in 2015, $100,000,000, breaking the $61,000,000 record of 2014).

Bear in mind, in these latter cases we're referring to how much money the thieves got away with. The Target retail data breach spread across two years, affected about 70 million customers, and had a total cost of $162 million dollars.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

According to the Ponemon Institute, in a report from the first quarter of 2016, successful phishing attacks (against large companies with >10,000 employees) now pull in $3.7 million per attack. And this, it should be pointed out, was despite the deployment of security solutions, some of which were actually designed to prevent such fraud.

The sad fact of the matter is that more than 70% of companies are relying on traditional antivirus programs and anti-spam programs that they mistakenly believe to be adequate. It's true that such programs can prevent some attachments from getting through, and they can remove some URLs that don't go where they say they're going. However, if the message doesn't have the right trigger, it will just scoot right by the software detection. Scary, yes, but how do they do it?

The Technique

When a spear-phisher is acting like the CEO (or any authorized CxO), you are not going to find an URL in the e-mail trying to direct an employee to an attack site; you are not going to find an attachment trying to install malware on the company computer. You're not going to find anything that will trip traditional security detection software and make it a flag that e-mail as suspicious.

What you will find is a written instruction (supposedly from the CxO) directing someone in the finance department, who is quite used to making wire transfers, to move money into an account that the spear-phisher has control of, whereupon it disappears forever. And this is only one example. Software won't protect you when everything looks perfectly normal, and resembles every other item that came through today.

Legal Liability

A report from April 2015 indicated that ~40% of cyberattacks target smaller businesses (<500 employees). That represents a more 300% increase since 2011. Who can be held responsible?

In the case of Palkon v. Holmes (New Jersey, 2014) the plaintiff named the entire Board, CEO/president, and their general counsel for failing to have sufficient internal controls to protect customers' data and for concealing the breach from its investors. It was ultimately dismissed (with prejudice), but it served to bring a new level of awareness of just who might be headed to jail.


Businesses will have traditional insurance to protect them in case a client happens to trip over the threshold to their building as they enter. They'll have insurance to protect them in case of a product defect that harms their customers. They'll even have insurance to protect against a physical break-in where someone steals property or data. What they often won't have is cyber liability insurance.

Obtaining the insurance is expensive, but the cost is certainly worth it because of the level of awareness that it brings. Often to qualify for the insurance, systems have to be brought up to a base standard to minimize the exposure of the insurance company.

Faster than the Speed of Molasses

It is absolutely stunning to consider that 99.9% of compromised systems were breached through vulnerabilities for which a security patch had been available for more than a year! It makes you shake your head in disbelief: The cost of funding IT departments sufficiently so that they can afford to protect you is utterly trivial. Yet CxO-types continue to regard IT as a money pit that doesn't generate any value for the end product.

False Economy

IT is often the first place management looks when they want to trim costs, but that is akin to a bank manager putting a huge steel door on a building constructed of wood. It looks good to the customer inside, but anyone with a toolbox can cut a hole elsewhere and help themselves.

What Is Really wrong

Consider, for example, that 23% of people receiving phishing messages actually open the messages, and a further 11% click on the attachments. About 50% of that activity occurs within the first hour of receipt.

It is hard to blame employees for this, much as people want to seek a scapegoat. Remember we mentioned earlier that fully 70% of companies are relying on traditional antivirus programs and anti-spam programs that they mistakenly believe are adequate. Having a general feeling of "We're covered!" being promoted by the company can make employees feel like they don't need to exercise caution with their e-mail. That is precisely the wrong message to be giving to your best line of defense: human intelligence.

Where Do We Start?

Credentialing your employees appropriately is part of a fundamental defensive strategy. If, for instance, an employee were to make an unusual move from Accounting to Sales, you would think that previous credentials would be canceled; but, in the real world, that seldom happens. New permissions are simply tacked onto old permissions, and that's a recipe for disaster, if someone decides to exploit it.

Keep in mind that approximately 14% of all phishing attacks are inside jobs. In addition, about half of these were created by former employees using still-activated credentials. Much of that damage can be attributed to a lack of communication between HR and IT as the status of employees changes.


Simple steps like informing IT when an employee is fired, retires, quits, or simply doesn't show up for work for three days could save a large company between 1.5 and $3.7 million. Sending a memo seems pretty inconsequential in comparison, agreed?


Surprisingly, despite the numbers, a majority of CxOs, with the possible exception of the CIO, CITO, and CISO (information, information technology, and information security officers), don't see the threat. Up to 64% of companies have engaged in some rudimentary training for their employees to mitigate the risk, but sitting in a conference room with 30 others for an hour is essentially useless.

Even if people do learn something, often less than 10% of the total content is retained when tested just days later. Moreover, despite initial enthusiasm, they revert to their old ways very quickly.

The Better Way

True value can only be obtained when training is ongoing and tested irregularly, and when there are consequences for noncompliance. Infosec IQ offers such a program, which requires surprisingly little input on the part of the client.

There are a couple of strategies that can be followed to introduce the program.

  • Employees can receive an organization-wide instruction to visit the site and complete the pleasant, easy lessons that raise awareness about the problem, or;
  • All employees can receive a series of staged (artificial) phishing e-mails which they will likely succumb to and, at the end of the introductory period, they can be shown how many times they made the organization vulnerable.

Ultimately, everybody will receive three or four phishing emails per month thereafter. Employees will be scored on their ability to thwart the phishing attempts.

Organizations undertaking this training have seen the employee successfully-phished rate plummet from over 50% down to single digits (including "zero"). Given the right motivation, employees become enthusiastic about keeping these plunderers at bay. For the incorrigibles, a simple prod with a reminder that these test results will be considered as part of their next review can gain compliance. Whether you use a stick or a carrot is entirely up to you, but the fact of the matter is that you need to make this work.

The Takeaway

Obtaining good legal counsel and suitable cyber security insurance, according to the recommendations and to cover the eventualities, is a good step because it increases awareness. Just note that the market is still young and evolving.

While there are many types of insurance for different situations, providers are constantly entering (and leaving) the marketplace. If you want $100,000,000 in broad coverage, you should probably expect an annual premium of five or six figures, but that's only after you have been thoroughly vetted by the insurer to demonstrate you have a robust security program that is up to date and the type of corporate culture that works in its own best interest.

The Final Word

In the final analysis it really comes down to people. You can have systems, policies, hardware, and software, but ultimately it's your human firewall that can do the most to keep your company safe. Equipped with the proper information, they are your very best line of defense.

If your humans need training, come and see us. We would be delighted to assist you in getting prepared to repel the cutthroats and pirates who are trying to relieve you of your property, hold you to ransom, or destroy your credibility with your customers.

Drop by and try out the training for free. It's interesting and fun enough to keep your employees' attention.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Remember…preparation is half the battle and fortune favors the prepared.

Randi Sherman
Randi Sherman

Randi is one half of The Social Calling, a writing duo with over 20 years of expertise in IT/Tech, Science, Health and more. They can be reached at