Which industry pays the most for a phishing breach?

Healthcare, at $9.77M average breach cost (IBM 2025), the highest of any sector for 14 consecutive years. Financial services follows at $5.9M.

Can a small business survive a phishing attack?

Roughly 60% of small businesses close within six months of a serious cyber incident. Average SMB breach cost is $3.31M, and 68% of breaches start with a single untrained employee.

Why is healthcare phishing so expensive?

HIPAA enforcement, OCR notification rules, and the per-record sensitivity of PHI ($408 per record per IBM 2025) compound the cost. Operational disruption to clinical care drives additional liability.

What is the financial-services phishing cost profile?

Financial services attracts 23.5% of all phishing attacks (APWG 2025) and pays $5.9M average breach cost (IBM 2025) with $295 per-record cost. Regulatory fines layer GDPR, GLBA, NYDFS, FFIEC, and FINRA.

Filing 03.00.00Field 27 APR 2026Classification PublicStatus Open

Phishing Cost by Industry Sector

Average breach cost ranges from $2.55M (government) to $9.77M (healthcare). The variance is driven by data sensitivity, regulatory weight, and the value of operational continuity.

Exhibit A

Cost-by-industry summary

IBM 2025

Code	Industry	Avg breach	Per record	Top vector
I-01	Healthcare / Life Sciences	$9.77M	$408	BEC + ransomware via phishing
I-02	Financial Services	$5.90M	$295	BEC, credential-harvest
I-03	Pharmaceutical	$5.10M	$232	Spear-phish on R&D
I-04	Energy / Utilities	$5.30M	$209	BEC, OT-pivot phishing
I-05	Technology / SaaS	$5.20M	$195	Spear-phish + token theft
I-06	Manufacturing / Industrial	$5.08M	$168	BEC + invoice fraud
I-07	Retail / E-commerce	$3.48M	$155	Credential-harvest
I-08	Government / Public Sector	$2.55M	$165	Vishing + spear-phish
I-09	Education	$3.65M	$142	Bulk + smishing
I-10	Professional Services	$5.08M	$178	BEC, wire fraud

Per-record costs from IBM 2025 industry annex. Vector designations cross-checked against APWG 2025 attack-share table and Verizon DBIR 2025 industry sections.[IBM 2025, APWG 2025, Verizon DBIR 2025]

Sector I-01

Healthcare / Life Sciences

HIGHEST

Avg breach cost

$9.77M

Per record $408

Regulatory frame

HIPAA, OCR, state notification

Highest cost industry 14 years running. Clinical disruption is a patient-safety event, not just a financial one.

Dominant attack vector

BEC + ransomware via phishing

Sector I-02

Financial Services

MOST TARGETED

Avg breach cost

$5.90M

Per record $295

Regulatory frame

GDPR, GLBA, NYDFS, FFIEC, FINRA

23.5% of all phishing volume per APWG 2025. Wire-fraud loss recovery rate sits below 30%.

Dominant attack vector

BEC, credential-harvest

Sector I-03

Pharmaceutical

Avg breach cost

$5.10M

Per record $232

Regulatory frame

FDA, GxP, GDPR

IP theft drives the headline cost. Counterfeit-supply-chain disclosures add reputational drag.

Dominant attack vector

Spear-phish on R&D

Sector I-04

Energy / Utilities

Avg breach cost

$5.30M

Per record $209

Regulatory frame

TSA, NERC CIP, EU NIS2

Operational technology pivots from IT compromise raise CISA reporting exposure to 8 hours.

Dominant attack vector

BEC, OT-pivot phishing

Sector I-05

Technology / SaaS

Avg breach cost

$5.20M

Per record $195

Regulatory frame

SOC 2, GDPR, state law

Customer-data multi-tenancy means a single phish can cascade across the customer base. The 2024 Snowflake-customer wave is illustrative.

Dominant attack vector

Spear-phish + token theft

Sector I-06

Manufacturing / Industrial

Avg breach cost

$5.08M

Per record $168

Regulatory frame

ITAR, CMMC, GDPR

Long supplier chains mean BEC succeeds across many low-trust hand-offs. Production downtime cost dominates the disruption line.

Dominant attack vector

BEC + invoice fraud

Sector I-07

Retail / E-commerce

Avg breach cost

$3.48M

Per record $155

Regulatory frame

PCI-DSS, GDPR, state law

Cardholder data drives PCI fines. Customer-trust impact peaks in seasonal-revenue exposure.

Dominant attack vector

Credential-harvest

Sector I-08

Government / Public Sector

Avg breach cost

$2.55M

Per record $165

Regulatory frame

FISMA, state, FOIA

Lower direct cost, but cleanup spans contractor ecosystems. The 2023 LA Housing Authority incident is representative.

Dominant attack vector

Vishing + spear-phish

Sector I-09

Education

Avg breach cost

$3.65M

Per record $142

Regulatory frame

FERPA, state law, GDPR

High user count, low per-record cost. Student-data disclosure carries long-tail reputational risk for institutions.

Dominant attack vector

Bulk + smishing

Sector I-10

Professional Services

Avg breach cost

$5.08M

Per record $178

Regulatory frame

Bar / accounting body rules

Law and accounting firms hold privileged client material. Confidentiality breach is a malpractice exposure as much as a regulatory one.

Dominant attack vector

BEC, wire fraud

Annex SMB

The SMB phishing cost profile

HIGH-CASUALTY

$3.31M

Average breach cost

[IBM 2025 small-org subset]

60%

Closure within 6 months of incident

[National Cyber Security Alliance]

68%

Breaches that start with one untrained employee

[Verizon DBIR 2025]

Companies under 500 employees face a different incident profile. Per-record cost is roughly the same, but the absolute numerator is unrecoverable from cash flow. A single BEC wire of $254,000 (the median for 25 to 299-employee firms) is often a going-concern event. Insurance retention sits at the same dollar figure that would close the company. SMB defence economics favour heavy investment in the cheapest controls (MFA, DMARC, monthly simulated phish) ahead of more expensive layered tooling.

Exhibit C

Phishing Cost by Industry Sector

Cost-by-industry summary

Healthcare / Life Sciences

Financial Services

Pharmaceutical

Energy / Utilities

Technology / SaaS

Manufacturing / Industrial

Retail / E-commerce

Government / Public Sector

Education

Professional Services

The SMB phishing cost profile

Cross references