Phishing attacks cost companies $3.77 million per year


Phishing attacks are costly according to a recent study from the Ponemon Institute. It’s obviously costly when an employee falls for the phishing scam and compromises his or her endpoint or possibly the network as a whole. It is also costly, however–at least in terms of lost productivity–to avoid the phishing attacks as well.

I wrote this blog post about the financial impact of phishing attacks on businesses.

Organizations spend a significant amount of money on security tools. All of the firewalls and antimalware solutions in the world, though, offer little protection against a phishing attack that tricks an authorized user into downloading malicious software or compromising credentials. Phishing attacks are becoming more effective and more costly as time goes on.

The Ponemon Institute recently published a report titled Cost of Phishing and the Value of Employee Training that illustrates the concerning trends behind phishing. Ponemon researchers surveyed 377 IT and IT security professionals from organizations throughout the United States to learn more about the financial consequences of phishing scams and the financial impact phishing has on employee productivity. Nearly 40 percent of survey respondents represent companies of 1,000 or more employees.

The report analyzes a few different elements—both direct and indirect—of a phishing attack. Ponemon weighed the cost to contain malware, the cost of malware that is not contained, lost productivity, the cost to contain credential compromises, and the cost of credential compromises that are not contained. The Ponemon report derives, “Based on these costs, the extrapolated total annual cost of phishing for the average-sized organization in our sample totals $3.77 million.”

$3.77 million? Does your organization have $3.77 million of the annual budget allocated to defending against phishing attacks or a spare $3.77 million lying around with nothing better to do?

The most expensive part of the cost of a phishing attack is the lost employee productivity, which includes the time it takes to view and reject phishing emails as well as time involved remediating a successful phishing attack. According to Ponemon lost productivity makes up 48 percent of the total.

Read the full post on the RSA Conference blog: How Much Will That Phishing Trip Cost You?


About Author

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 2 dogs, 5 cats, 2 rabbits, 2 ferrets, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at For more from me, you can follow me on Twitter, Facebook, Instagram and LinkedIn.


  1. I’d bet the cost is a lot more when you add in reputation, loss of productivity from the time spend undoing all the problems. This is a good argument for solid security plans and practices as well as working with a strong vendor that has a lot of ties within the security arena.


    Karen Bannan, commenting on behalf of IDG and Dell.