MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.

I'm not curious

The True Cost of Phishing and How to Block Attacks

Published on 15 June 18

Phishing is the biggest cyber threat faced by businesses, from small mom and pop stores to SMBs and the largest enterprises. Phishing is the fraudulent practice of obtaining sensitive information by deception, often using social engineering techniques to fool employees into disclosing their login credentials – either directly through emails or websites or indirectly via malware.

While phishing is primarily conducted via email, attacks can occur on websites, via SMS and messaging services, social media networks, or over the telephone. The consequences of a successful phishing attack can be severe, often resulting in costly malware infections, ransomware attacks, loss of customer information, theft of corporate secrets, or sizable bank transfers to criminals’ accounts.

The High Cost of Phishing Attacks

In 2015, the health insurer Anthem Inc., experienced the largest security breach every to affect a healthcare organization. More than 78.8 million plan members’ records were stolen in the attack. The security breach is believed to have started with phishing emails sent to its employees. The full cost of the breach is not yet known, although Anthem has settled a class action lawsuit for $115 million on top of the costs of mitigating the breach. Regulatory fines could also be issued.

The U.S. retailer Target experienced a phishing attack in 2013 that resulted in the theft of customers’ credit and debit card details. Approximately 110 million customers were affected by the breach, with the resultant class action lawsuit settled for $39.4 million. The phishing attack was conducted on a HVAC contractor.

In 2016, an employee of Seagate Technologies LLC was fooled into emailing copies of employees’ W-2 Forms to a scammer. Approximately 12,000 employees joined a class action lawsuit that sought damages for the exposure of their tax information. The lawsuit was settled for $5.75 million.

In December 2015, the Department of Health and Human Services’ Office for Civil Rights (OCR) agreed to its first HIPAA violation settlement over a phishing attack. UW Medicine agreed to pay $750,000 to resolve the HIPAA violations. The breach saw malware installed on its network and the protected health information of 90,000 individuals was compromised. The malware was inadvertently installed by employees who responded to phishing emails.

Metro Community Provider Network (MCPN) settled a HIPAA violation case with OCR for $400,000 in 2017. The PHI of 3,200 individuals was obtained by a hacker following a successful phishing attack.

These regulatory fines and class action lawsuits are only part of the costs that must be covered. According to Ponemon Institute/IBM Security Cost of a Data Breach Study, the average cost of a data breach is now $3.62 million.

In 2016, phishing attacks caused more than $3.1 billion in losses. The true cost of phishing attacks cannot be accurately determined. Many phishing attacks go unreported and even when they are, the losses sustained are not often disclosed.

Protecting Against Phishing

Phishing attacks take advantage of busy employees who do not stop and think before responding and individuals with poor security awareness. However, anyone can fall for a phishing email. While it was once fairly easy to identify a phishing attempt, phishing attacks are now much more sophisticated and use a wide range of techniques to fool even diligent and security aware individuals into responding and disclosing their credentials.

Organizations that provide security awareness training to their employees can greatly reduce susceptibility to phishing attacks. Research by Cofense, a provider of anti-phishing training and related solutions, suggests training and phishing simulations can reduce susceptibility to phishing attacks by up to 95%.

Through training, organizations can eradicate risky behavior, train employees to stop and think before responding to email and web requests and teach security best practices. Coupled with phishing simulations to reinforce training, it is possible to turn employees into a strong last line of defense.

Combine security awareness training with technologies such as spam filtering solutions to reduce the volume of threats that reach inboxes and it is possible to mount a robust defense against phishing attacks and avoid becoming another data breach statistic.

This blog is listed under IT Security & Architecture Community

Related Posts:

Cyber security


IT security

Post a Comment

Please notify me the replies via email.

  • We hope the conversations that take place on will be constructive and thought-provoking.
  • To ensure the quality of the discussion, our moderators may review/edit the comments for clarity and relevance.
  • Comments that are promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment.
You may also be interested in
Awards & Accolades for MyTechLogy
Winner of
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url