Dangers of phishing for businesses

1. Financial losses: from fraud to ransomware

The most immediate cost is financial. Phishing leads to three types of financial loss:

Direct fraud

CEO fraud and fake invoices lead to direct transfers to criminal bank accounts. The average loss per successful CEO fraud at an SME is tens of thousands of euros. Recovery is rarely possible.

Ransomware

More than 90% of ransomware infections begin with a phishing email. Once an employee opens an infected attachment, ransomware encrypts all files on the network. Ransom demands range from thousands to hundreds of thousands of euros. Recovery costs typically exceed the ransom itself.

Operational downtime

A successful attack brings systems down. For a company of 50 employees, two weeks of downtime quickly adds up to €150,000 to €300,000 in lost revenue, overflow costs and recovery work, excluding the direct financial damage.

Figure: The average total cost of a phishing-driven cyber attack for an SME ranges between €70,000 and €150,000, including all indirect costs.

2. Data breaches and privacy violations

One of the most serious consequences of phishing is access to confidential data. Via a hacked email account, an attacker gains access to customer data, contracts, personnel files, financial reports and strategic plans.

When phishing targets Microsoft 365 or Google Workspace accounts, the entire mailbox is read - sometimes for weeks - before the attacker acts. During that time, they collect all the information needed for a follow-up attack or to sell on.

Types of data leaked via phishing:

• Customer data (names, addresses, contacts, contracts)
• Personnel data (salaries, national ID numbers, medical information)
• Financial information (bank details, annual reports, debtors)
• Intellectual property (designs, source code, business strategies)
• Login credentials for other systems (domino effect)

3. Reputational damage and loss of clients

Reputational damage is the danger of phishing that is hardest to quantify in euros - but can have the heaviest long-term impact. When clients, partners or the media learn that your company has fallen victim to a phishing attack, questions arise about your organisation's reliability and security posture.

4. Legal consequences and GDPR fines

When a phishing attack leads to a data breach involving personal data, you are required to report this to the relevant Data Protection Authority within 72 hours of discovery. In many cases, affected individuals must also be notified.

GDPR fines

The GDPR requires organisations to take adequate security measures. If an investigation finds that you failed to take sufficient precautions - including employee awareness training - the supervisory authority can impose fines of up to €20 million or 4% of annual global turnover.

NIS2 Directive

The NIS2 Directive requires organisations in essential sectors and their suppliers to implement proven measures against cyber attacks, including demonstrable security training for employees. Phishing simulations and awareness training are a direct way to satisfy this requirement.

How to limit the dangers of phishing

The dangers of phishing are real but largely manageable. The most effective approach combines technical measures with human training:

• Multi-factor authentication (MFA) on all accounts
• Email authentication: SPF, DKIM and DMARC to block spoofed senders
• Regular phishing simulations to identify vulnerable employees
• Security awareness training so employees recognise phishing
• A clear reporting procedure for suspicious emails
• An incident response plan so you know what to do if an attack succeeds