Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Career Intelligence
    • Cyber Tactics
    • Cybersecurity Education & Training
    • Leadership & Management
    • Security Talk
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Interactive Spotlight
    • Photo Galleries
    • Podcasts
    • Polls
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireCybersecurity News

Phishing could have cost businesses $354m in potential direct losses

phishing freepik
August 20, 2021

Area 1 Security published the results of “It Started Out With A Phish,” a new study analyzing over 31 million threats across multiple organizations and industries, with new findings and warnings issued by technical experts that every organization should be aware of. 

A key aspect to preventing attacks is having a deep understanding of cyber actor patterns and continuously monitoring and deconstructing campaigns to anticipate future ones. Phishing can be a profitable business model, and most breaches begin with a phishing email. What appears to be an innocent email from a trusted vendor or internal department can lead to firm-wide shutdowns, loss of crucial data, and millions in financial costs. 

As detailed in the report, threats ranging from ransomware, credential harvesters to difficult-to-discover but costly business email compromise (BEC) targeted inboxes, could have resulted in over $354 million in direct losses had they been successful. Unfortunately, organizations that failed to take the proper protective measures to safeguard their organizations became all too familiar with the unfortunate and costly lessons these innocuous-looking phish presented, as supply chains and critical infrastructure came under attack within the US. 

Key findings include:

  • Nearly 9% of attacks used identity deception tactics such as spoofing, domain impersonation and display name impersonation. Other top tactics included credential harvesters (9.33%), compromised links (8.96%) and attachments (3.31%); 
  • Just 10 brands accounted for over 56% of all spoof- and impersonation-based phishing attacks, with the World Health Organization (WHO), Google and Microsoft positioned as the top three most impersonated;
  • In some cases, these spoofed emails hid BEC attacks, which represented the most significant financial damage despite low volume (1.3% of threats). On average, BEC requests sought $1.5 million—with the median being $260K;
  • Despite organizations’ attempts to negate risks through end-user training, more than 92% of user-reported phish were entirely benign spam or bulk mail, flooding IT teams with thousands of false alarms.

While employees meant well with their reports, the real dangers often slipped undetected past outdated defense systems and looked legitimate enough to put even the most heightened guards at ease. For example, more than half a million threats were missed by email authentication (DMARC, SPF, DKIM) and legacy defense systems, which could have caused millions in disruptions and financial loss without interception.

“Cyber campaigns continue to be a tool for waging war against corporations, theft of intellectual property, and massive financial and data loss,” said Patrick Sweeney, CEO at Area 1 Security. “Our research found that security awareness training is only beneficial from an educational perspective but not effective in stopping threats. Around 92% of user-reported phish are not malicious and actually benign, spam, or bulk mail, which often delays IT teams from discovering and stopping actual threats. The only solution is a preemptive, cloud-based, email security solution that prevents the phish from even hitting the inboxes.”

Area 1 Security’s recommendations for effectively defending against cloud email threats include:

  • Locking down identity: Secure accounts and identities by adding additional protection like multi-factor authentication (MFA). Never reuse passwords and always change default passwords.
  • Establish protocols and procedures against financial fraud: Establish and train on procedures to prevent financial loss in the case of BEC and financial fraud, such as requiring multiple approvers or “out-of-band” vendor verifications for transferring funds to new accounts. Also, train them on what to do in case they fall for the phish.
  • Take a zero-trust approach with email: It’s imperative to verify all communication that happens within email. Remove implicit trust by assessing the validity of messages beyond the sender to reduce risk from compromised partners. Choose a security system that can detect compromises and apply controls around compromised communications to extend zero-trust to email.

To learn more, download the “It Started Out With A Phish” report here.

 

KEYWORDS: cyber security information security phishing risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Cyber tech background

    Security’s Top Cybersecurity Leaders 2026

    Security magazine’s Top Cybersecurity Leaders 2026 award...
    Top Cybersecurity Leaders
  • Iintegration and use of emerging tools

    Future Proof Your Security Career with AI Skills

    AI’s evolution demands security leaders master...
    Security Leadership and Management
    By: Jerry J. Brennan and Joanne R. Pollock
  • The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report surveys enterprise...
    The Security Benchmark Report
    By: Rachelle Blair-Frasier
Manage My Account
  • Security Newsletter
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Hand reaching up out of the ocean

What I Learned About Burnout the Hard Way (and How to Actually Fix it)

Paparazzi

When Private Events Become Public Infrastructure: What Celebrity OSINT Teaches Security Leaders

Colorful laptop

Organizations Think They Know Who’s Visiting Their Sites. They Don’t.

Glasses in front of coding on screen

5 Ways Quantum and AI Will Rewrite the Rules of Cyberattacks

Cyber Tactics

AIBOMs: Bringing AI Security Out of the Shadows, A Practical Guide for Security Professionals

Kaseware sponsored webinar
Schneider Electric sponsored webinar

Events

August 25, 2026

Critical Infrastructure Security Is National Security: Protecting Essential Operations in an Era of Escalating Risk

LIVE: August 25, 2026 at 2 PM EDT Learn why critical infrastructure security has become a national security imperative, and the strategies organizations can adopt to improve visibility, collaboration, and response across their security operations.

August 27, 2026

Leveraging AI & Mobility to Advance Your Security Domain

LIVE: August 27, 2026 at 2 PM EDT Explore how AI-driven cloud security solutions can elevate your security domain enhancing threat detection, streamlining operations, and delivering the resilience modern organizations demand.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products


Alertmedia sponsored webinar

Related Articles

  • SEC-Nov2018-cover_232px

    Direct Economic Losses from Climate-Related Disasters Continue to Climb

    See More
  • Employee Theft Cost US Businesses $1.13 Million in Losses

    See More
  • API-sec-freepik1170x658.jpg

    API security vulnerability in FinTech platform could have enabled account takeover

    See More

Related Products

See More Products
  • Hospitality Security: Managing Security in Today's Hotel, Lodging, Entertainment, and Tourism Environment

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • s in europe.jpg

    Surveillance in Europe

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • Newsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2026. All Rights Reserved BNP Media, Inc. and BNP Media II, LLC.

Design, CMS, Hosting & Web Development :: ePublishing