Phishing is an email based attack similar to spam but designed for deception and impersonation rather than quick sales or gullibility. This makes this attack dangerous if the enemy has done enough research. They can get large amounts of data off the web, by calling employees, or having worked there previously (or presently). With all the gathered information they can create a campaign that does a great job of impersonating a superior or employee in need of information. All they need then is for a single employee to fall for it.
The damage can be done in a number of ways, all of which can cost companies money. This ranges from a few hundred dollars spent on re-imaging a machine and the lost work time to hundreds of millions if client data is stolen, reputation is damaged, and insurance costs kick in. The extent of the damage really is determined by the counter measures in place and the sophistication and dedication of an attacker. If the target has an anti-phishing/malware filter with well trained employees, the damage can be minimized either by prevention or recognition. An attack noticed in minutes does far less than one not noticed for months. This is exactly why the costs of the preventative measures is always worth it. Ten thousand dollars spent annually can prevent a single attack that costs ten thousand dollars alone, which is all too common. I’ve seen single emails cost companies almost $40,000 in a week from being noticed too late.
The attacker’s dedication to the campaign, along with prior experience and/or tools will also contribute to the total damage. Technical and training preventative methods raise the bar on the skill set required, but also mean that the best attacks can still leave an organization vulnerable. This is why a skilled threat and breach recognition team and/or tool set is necessary, lest the company fall prey to an APT. The basic attackers who get into organizations without defenses can do quite a bit of damage, and cost thousands of dollars in remediation alone. This always why I recommend paying for the defenses, setting the bar very high is not all that expensive and it can keep most attacks out. If your business has been or may be targeted by an APT, I highly recommend going even further. I have seen these cost companies hundreds of thousands of dollars a year, which is less than the best security tools.
The costs of Phishing attacks are on the rise, and this means IT has to stay one step ahead with defense. As the risk goes up, it becomes more and more valuable for companies to opt for paid security tools. This will save money in the long run (or sometimes immediately) and keep the reputation spotless. They can even help to reduce cyber insurance costs, which will make these measures even more cost effective. Safety is not a onetime purchase, and getting new tools may seem like a waste, but as attackers get more advanced, these protective steps can save a company.