CASE FILE // PC-2026-04
Status: Open
Filing Number 00.00.01
PHISHINGCOST.COM
An incident cost field report.
Filing 00.00.01Phishing Incident CostFY 2026

How much does a phishing attack actually cost?

A field report for security leadership. We size the financial exposure of a phishing incident, by category, against publicly-filed data from the FBI Internet Crime Complaint Center, IBM Security, Verizon, and the Anti-Phishing Working Group. No vendor partisan framing.

Open Exhibit A →Read case files
Live Tape // Estimated Global Loss Since Page Load
UTC 08:26:00
$0_
Run rate $17,700 per minute. Source: APWG/IC3 aggregate, projected to a $25B annualised global phishing loss baseline.
Avg breach cost
$4.88M
[IBM 2025]
US BEC losses
$2.77B
[IC3 2024]
Mean detection
254d
[IBM 2025]
Bulk emails / day
3.4B
[APWG 2025]
§ I // Modelling Worksheet

Size your annual phishing exposure

Exhibit A // Annual Phishing Cost Modelling Worksheet

Per-organisation incident cost estimator

CONFIDENTIAL DRAFT
Section I // Subject Profile
Tier: Mid-market (251-1k)
Click-rate reduction applied: 18%
Section II // Modelled Annual Exposure
Basis: IBM 2025 / IC3 2024
Total annual risk exposureProbability 79.5%
$19,327,645
0.54 successful incidents per year, all categories combined
Direct incident
Forensics, IR retainers, legal, PR
$2.04M
Business disruption
72h median active disruption
$2.94M
Data breach liability
Per-record cost, industry-weighted
$986K
Regulatory fines
GDPR, HIPAA, state notification
$1.91M
Reputation / churn
8% post-breach churn, 3yr LTV
$11.45M
Programme cost / yr
$23K
@ $30 per employee, monthly cadence
Residual after training
$8.96M
If stepping up to monthly
ROI multiple
460.9x
Net saving $10.35M

Methodology note. Estimates blend size-tier base rates from IBM Cost of a Data Breach 2025 with industry exposure factors from Verizon DBIR 2025 and Anti-Phishing Working Group 2025 attack-share data. Per-record costs follow the IBM 2025 industry table. Disruption hours use the IBM phishing-subset 72-hour median. Training ROI compares your current cadence against a stepped-up monthly cadence at $30 per employee per year. Output is for planning only.

§ II // Cost Categories

Where the money goes when a phish lands

Exhibit B

Six anatomy lines of a phishing incident

DECLASSIFIED
01

Direct loss

$2.77B
[IC3 2024 BEC complaints]

Wire-fraud transfers, fake invoice payments, redirected payroll. Often unrecoverable. The single category most likely to wipe an SMB.

02

Forensics + IR

$1.1M
[IBM 2025 mid-tier band]

Retainer-rate IR firms, image preservation, log-pull, eradication, post-mortem. Rates climb in regulated industries with chain-of-custody requirements.

03

Regulatory fines

up to 4%
[GDPR Art. 83(5)]

GDPR caps at 4% of annual global turnover or EUR 20M. HIPAA $100 to $50,000 per violation, $1.5M annual cap per type. SEC requires material disclosure within 4 business days.

04

Litigation

$2.1M
[Class action median]

Class-action filings now near-routine for breaches over 100K records. Settlement medians sit just above $2M with attorneys' fees layered.

05

Notification

$164/record
[IBM 2025]

State-by-state notification (all 50 states have laws). Multi-state breaches force the highest-bar standard for the entire population.

06

Reputation / churn

33%
[Proofpoint customer impact]

Up to a third of customers report reduced trust after disclosure. Modelled here at 8% near-term churn against 3-year lifetime value.

§ III // Comparative Costs

Phishing against the rest of the threat ledger

Exhibit C

Average breach cost by initial vector

IBM 2025
Initial vectorAvg costMedian dwellShare of breaches
Phishing$4.88M254 days16%
Stolen / compromised credentials$4.81M292 days15%
Cloud misconfiguration$4.00M241 days11%
Malicious insider$4.99M216 days7%
Ransomware (post-access)$5.13M230 days~10%
Business email compromise (BEC)$4.67M266 days~7%

Phishing is not the most expensive vector per incident, but it is the dominant entry point. A high share of credential and ransomware events trace back to a phishing email upstream.[IBM 2025, Verizon DBIR 2025]

§ IV // Continued Reading

Drill into the file

02File →
By Vector
BEC, spear, vishing, smishing, quishing. Cost per incident type.
03File →
By Sector
Healthcare, finance, manufacturing, SMB. Per-industry per-record cost.
04File →
Case Files
Verified incident reports with cited dollar figures.
05File →
Mitigation
Vendor-neutral training cost comparison and ROI math.
06File →
AI Threats
Deepfake CEO fraud and AI-spear-phish cost trajectory.
07File →
Statistics
Headline numbers in one annex with full source citation.
08File →
Regulatory
GDPR, HIPAA, SEC, state notification fines and timelines.
X1External
databreachcost.com
Full breach cost analysis across all vectors.
§ V // Frequently Filed Questions

Questions security leaders ask before the board meeting

Exhibit D

FAQ as filed

ON RECORD
How much does a phishing attack cost a company?[open]

The average breach with phishing as the initial vector costs $4.88M (IBM 2025). BEC averages $4.67M per incident. Smaller organisations face $3.31M average breach cost. Total includes direct response, disruption, data breach liability, regulatory fines, and churn.

What share of data breaches start with phishing?[open]

Verizon DBIR 2025 attributes a substantial share of breaches to social engineering, with phishing dominant. Industry guidance routinely cites 90% or more of cyber attacks beginning with a phishing email.

How long until a phishing breach is detected?[open]

254 days mean time to identify and contain (IBM 2025). Breaches detected after 200 days cost roughly $1.2M more. Active disruption typically runs 72 hours from detection.

Which industries pay the most per phishing breach?[open]

Healthcare leads at $9.77M average breach cost (IBM 2025), followed by financial services at $5.9M. Pharmaceutical and energy run above the cross-industry mean. See /by-industry for the full table.

What is BEC and why is per-incident cost so high?[open]

Business Email Compromise spoofs or compromises an executive or vendor mailbox to redirect a wire transfer. FBI IC3 logged $2.77B in US BEC losses for 2024 across 21,442 complaints. Per-incident cost is high because the loss is typically a direct outbound wire, not a recoverable asset.

What hidden costs follow a phishing incident?[open]

Reputation damage, ~8% near-term customer churn, insurance premium increases, executive and IT overtime, legal fees, and class-action exposure (around $2.1M settlement median).

Updated 2026-04-27