25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Calculating the Cost of Spear Phishing

Posted By on Jan 17, 2016

Spear phishing attacks are on the increase and healthcare providers have had to increase spending considerably to deal with the threat and mitigate risk. A recent survey conducted by Cloudmark/Vanson Bourne has helped to quantify the current level of spending on anti-phishing precautions and has produced an estimate of the cost of spear phishing.

Spear Phishing: A growing problem for healthcare providers

The sending of mass spam emails has long been a tactic used by cybercriminals to get individuals to reveal their login credentials, often indirectly after being fooled into installing malware on their computers. The vast majority of these email campaigns have been poorly written and ill conceived. That said, they have still proved to be effective way of delivering malware, although spam filtering technology has improved considerably in recent years and many of these emails are now being blocked.

Cybercriminals have realized that more targeted phishing emails have a much better chance of not only getting past spam filters, but are also more likely to elicit the desired response. These spear phishing emails are tailored for specific individuals or groups within an organization. Oftentimes, targets are extensively researched prior to the emails being sent. These spear phishing emails can be incredibly effective.

Spear phishing has now grown into one of the biggest security threats that enterprises now have to face, and the cost of preventing spear phishing attacks has grown considerably in recent years.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The Cost of Spear Phishing: How Much is Prevention Costing U.S. Companies?

A recent survey conducted by Cloudmark and Vanson Bourne set out to examine IT professionals’ points of view about spear phishing and gather information about their experience of spear phishing attacks with a view to calculating the true cost of spear phishing.

300 IT decision makers from organizations employing more than 1,000 staff members were asked questions about their experiences of spear phishing, and were asked about the measures their companies had implemented to tackle the growing problem of targeted phishing emails.

While the majority of organizations had implemented controls to prevent phishing emails from being delivered, 28% of spear phishing emails were still being delivered to recipients’ inboxes on average. The survey indicated 84% of organizations have had a spear phishing email breach their security defenses in the past 12 months.

Those defenses mainly involved the implementation of anti-virus and anti-malware solutions, although 70% of respondents said they had a specific anti-phishing solution to prevent spear phishing emails from being delivered. Those defenses had cost enterprises an average of $319,327 over the past 12 months.

When taking lost productivity, financial losses, company and brand reputation damage, intellectual property loss, decreases in stock prices, and customer loss into account, the average total losses due to phishing attacks were estimated to be $1,644,119 per company.

Who Is Being Targeted with Spear Phishing Emails?

Phishing campaigns were often successful when the emails appeared to come from upper management. Respondents indicated they had suffered 10 attacks on average that had involved the spoofing of a CEO’s email address.

While account and billing department employees are being increasingly targeted by cybercriminals looking to fool users into making bank transfers to their accounts, the survey revealed that IT department staff were just as frequently targeted and sent spear phishing emails. Cybercriminals were after their account information due to the higher level of privileges they had. 44% of attacks were taking place on the IT department. The financial departments were targeted in 43% of attacks. The CEO was next in line, being the target of 27% of attacks.

Spear phishing prevention is not only about blocking the emails. Staff members must be trained how to identify a phishing email when it arrives, and their phishing email identification skills must be put to the test. The survey respondents indicated this was happening on a frequent basis, although only 3% of respondents claimed that all of their employees had passed the last phishing email test.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist