Phishing Costs Flow Upstream

By Matthew Hines  |  Posted 2008-12-16 Print this article Print

The collateral financial damage incurred by online phishing attacks--such as the impact that the fraud has on hijacked brands--continues to spiral upward, according to a new research report issued by security monitoring specialist Cyveillance.

While exact financial projections remain hard to nail down because so many of the costs related to the phishing involve soft numbers including customer retention rates, the company has created a formula by which it has attempted to deduce the effect that the threats have on the companies swept up in the schemes.

Overall, Cyveillance estimates that phishing represents a $3 billion-per-year industry, which is certainly pretty astounding when you consider how many legitimate business models do nowhere near as much trade every four quarters. As you might guess, the profitability of phishing has only led to continued growth in the space, with highly targeted campaigns becoming ever more popular, the company said.

As for the types of companies and end users being targeted in the schemes, seemingly no one is left out, with everyone from high-worth financial services customers to illegal immigrants being attacked with new campaigns of late. Over the past three years, Cyveillance said it has tracked phishing attacks against more than 2,000 brands across 30 countries.

Despite creating its system of charting phishing costs, the company admits that it is impossible to assess all of the fallout related to the crime.

"Phishing attacks can cost organizations anywhere from thousands to millions of dollars per attack in fraud-related losses," the researchers contend in their report. "Although some of the costs can be measured easily, others are far more difficult to quantify; hard costs associated with phishing can be measured directly in terms of dollars, time and effort; soft costs are the intangible costs that are much more difficult to measure, [but] these costs can have a long-term impact on an organization's brand."

Among the hard costs of phishing tracked by Cyveillance:

  • Fraudulent charges associated with the compromised credit card
  • Cash withdrawals or "pump and dump" from compromised accounts
  • Employee time spent dealing with the fraudulent transactions
  • Customer support calls

And the softer costs:

  • Customer trust in online applications
  • Customer satisfaction
  • Damage to organizational reputation

Looking at all those factors, and assuming that only 10 percent of phishing e-mails reach their targeted audience, only half of whom are likely to fall for the ploy, Cyveillance concludes that out of every half million e-mails distributed, attackers will get their hooks into roughly 2,500 end users, costing organizations an average of $1,800 per compromise and triggering $400 per person in related remediation work.

And that's nothing to sneeze at when you're a giant financial services firm that just had 2,500 of your customers nailed, many of whom will also defect to other providers after you've paid to repair their financial and credit standing.

In response, companies must begin more actively preparing to deal with phishing attacks ahead of the events, the company warns.

"Any organization currently targeted by phishers or at risk for such attacks must develop and implement a comprehensive phishing protection and response plan in order to prevent or minimize the direct costs of phishing attacks. The plan should provide response guidelines that cover every phase of an attack in the fastest, most efficient manner," Cyveillance experts said. "The costs associated with phishing attacks are directly proportional to the amount of time that it takes an organization to address the attack, with most costs incurred during the first 24 hours of an attack. Because of the short length of this critical period, speed of detection and takedown of the attack are the two key areas that organizations can have the greatest impact in reducing the costs of phishing attacks."

Among the tips the company offers to potential phish-ees:

  • Identify the appropriate stakeholders and clearly communicate their responsibilities for responding to attacks
  • Make plans compatible with existing business processes and procedures
  • Create effective internal and external communications processes
  • Create a solid phishing response escalation path
  • Minimize or avoid negative customer experiences
  • Reduce financial losses associated with subsequent online fraud
  • Proactively protect your corporate reputation

Some of these may seem like no-brainers, but apparently many organizations have not gone to the trouble of creating such plans.

So do so ... or you're business may end up sleeping with the phishes.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel