CASE FILE // PC-2026-04
Status: Open


Filing 00.00.01Phishing Incident CostFY 2026

How much does a phishing attack actually cost?

A field report for security leadership. We size the financial exposure of a phishing incident, by category, against publicly-filed data from the FBI Internet Crime Complaint Center, IBM Security, Verizon, and the Anti-Phishing Working Group. No vendor partisan framing.

Live Tape // Estimated Global Loss Since Page Load
UTC 22:07:11
$0_
Run rate $17,700 per minute. Source: APWG/IC3 aggregate, projected to a $25B annualised global phishing loss baseline.
Phishing breach cost
$4.80M
[IBM 2025]
US BEC losses
$2.77B
[IC3 2024]
Mean detection
254d
[IBM 2025]
Bulk emails / day
3.4B
[APWG 2025]
§ I // Modelling Worksheet

Size your annual phishing exposure

Exhibit A // Annual Phishing Cost Modelling Worksheet

Per-organisation incident cost estimator

CONFIDENTIAL DRAFT

Section I // Subject Profile
Tier: Mid-market (251-1k)
Click-rate reduction applied: 18%
Section II // Modelled Annual Exposure
Basis: IBM 2025 / IC3 2024
Total annual risk exposureProbability 79.5%
$19,327,645
0.54 successful incidents per year, all categories combined
Direct incident
Forensics, IR retainers, legal, PR
$2.04M
Business disruption
72h median active disruption
$2.94M
Data breach liability
Per-record cost, industry-weighted
$986K
Regulatory fines
GDPR, HIPAA, state notification
$1.91M
Reputation / churn
8% post-breach churn, 3yr LTV
$11.45M

Programme cost / yr
$23K
@ $30 per employee, monthly cadence
Residual after training
$8.96M
If stepping up to monthly
ROI multiple
460.9x
Net saving $10.35M

Methodology note. Estimates blend size-tier base rates from IBM Cost of a Data Breach 2025 with industry exposure factors from Verizon DBIR 2025 and Anti-Phishing Working Group 2025 attack-share data. Per-record costs follow the IBM 2025 industry table. Disruption hours use the IBM phishing-subset 72-hour median. Training ROI compares your current cadence against a stepped-up monthly cadence at $30 per employee per year. Output is for planning only.

§ II // Cost Categories

Where the money goes when a phish lands

Exhibit B

Six anatomy lines of a phishing incident

DECLASSIFIED

01

Direct loss

$2.77B
[IC3 2024 BEC complaints]

Wire-fraud transfers, fake invoice payments, redirected payroll. Often unrecoverable. The single category most likely to wipe an SMB.

02

Forensics + IR

$1.1M
[IBM 2025 mid-tier band]

Retainer-rate IR firms, image preservation, log-pull, eradication, post-mortem. Rates climb in regulated industries with chain-of-custody requirements.

03

Regulatory fines

up to 4%
[GDPR Art. 83(5)]

GDPR caps at 4% of annual global turnover or EUR 20M. HIPAA $100 to $50,000 per violation, $1.5M annual cap per type. SEC requires material disclosure within 4 business days.

04

Litigation

$2.1M
[Class action median]

Class-action filings now near-routine for breaches over 100K records. Settlement medians sit just above $2M with attorneys' fees layered.

05

Notification

$160/record
[IBM 2025 customer PII]

State-by-state notification (all 50 states have laws). Multi-state breaches force the highest-bar standard for the entire population.

06

Reputation / churn

33%
[Proofpoint customer impact]

Up to a third of customers report reduced trust after disclosure. Modelled here at 8% near-term churn against 3-year lifetime value.

§ III // Comparative Costs

Phishing against the rest of the threat ledger

Exhibit C

Average breach cost by initial vector

IBM 2025

Initial vectorAvg costMedian dwellShare of breaches
Phishing$4.80M254 days16%
Third-party / supply chain compromise$4.91M267 days15%
Stolen / compromised credentials$4.67M246 daysn/a
Malicious insider$4.92M260 daysn/a
Denial-of-service$4.41M236 daysn/a
Vulnerability exploitation$4.24M245 daysn/a

Phishing is not the most expensive vector per incident, but it is the dominant entry point. A high share of credential and ransomware events trace back to a phishing email upstream.[IBM 2025, Verizon DBIR 2025]

§ V // Frequently Filed Questions

Questions security leaders ask before the board meeting

Exhibit D

FAQ as filed

ON RECORD

How much does a phishing attack cost a company?[open]

The average breach with phishing as the initial vector costs $4.80M (IBM 2025), against a $4.44M global all-vector average. Breaches via stolen or compromised credentials average $4.67M. Total includes direct response, disruption, data breach liability, regulatory fines, and churn.

What share of data breaches start with phishing?[open]

Verizon DBIR 2025 attributes a substantial share of breaches to social engineering, with phishing dominant. Industry guidance routinely cites 90% or more of cyber attacks beginning with a phishing email.

How long until a phishing breach is detected?[open]

254 days mean time to identify and contain (IBM 2025). Breaches with a lifecycle over 200 days cost roughly $1.1M more ($5.01M vs $3.87M). Active disruption typically runs 72 hours from detection.

Which industries pay the most per phishing breach?[open]

Healthcare leads at $7.42M average breach cost (IBM 2025), the highest for the 14th year running, followed by financial services at $5.56M. Both sit well above the $4.44M cross-industry mean. See /by-industry for the full table.

What is BEC and why is per-incident cost so high?[open]

Business Email Compromise spoofs or compromises an executive or vendor mailbox to redirect a wire transfer. FBI IC3 logged $2.77B in US BEC losses for 2024 across 21,442 complaints. Per-incident cost is high because the loss is typically a direct outbound wire, not a recoverable asset.

What hidden costs follow a phishing incident?[open]

Reputation damage, ~8% near-term customer churn, insurance premium increases, executive and IT overtime, legal fees, and class-action exposure (around $2.1M settlement median).

Direct from Digital Signet

Building around your phishing defence?

Digital Signet builds custom software and AI automation for security teams. Detection tools, awareness tracking, evidence collection, workflow automation.

Get in touch →

Updated 2026-04-27