Each quarter, Agari publishes insights into new threats for both inbound and outbound email. From October to December, we found:

  • Account takeover-based threats account for 20% of the inbound attacks that target employees.
  • While 70% of brand impersonation attacks spoofed Microsoft, another notable impersonation target was the IRS.
  • Costs reported to the Security Operations Center (SOCs) to triage, investigate, and remediate threats exceeded $4.86M.
  • The volume of raw DMARC domains surged to 6.1 million, but major businesses are still lagging in adoption rates.

Download your copy of the Q1 2019 report now to learn which brands and identities were targeted most.

Phishing Incident Response Trends


Employee-Reported Phishing is Flooding Security Operations Centers

While businesses strive to implement security controls to prevent phishing emails from reaching employee inboxes, there will always be a risk that employees will receive malicious emails intended to defraud the company or steal sensitive information as part of a data breach. For US-based companies, the average cost of a breach now runs $7.9 million, and the probability of a breach occurring is now 14% per year, according to the Ponemon Institute Cost of Data Breach Study 2018.

Employee Reporting as Threat Intelligence

With the vast majority of businesses implementing security awareness training, phishing simulation, and the ability for employees to report phishing, it’s critical to understand how to leverage this threat feed to discover and contain breaches before data is exfiltrated. To that end, it’s crucial for businesses to streamline the process of triaging, investigating, and remediating phishing incidents to avoid flooding the security operations center (SOC) with more phishing incidents to investigate than it can handle. Otherwise, intelligence regarding breaches may go undiscovered until it is far too late.

Phishing Incident Response Survey

As part of the introduction of Agari Phishing Response to the market, ACID conducted a survey of 325 organizations ranging in size from 1,000 employees to 209,000 employees. Of the respondents, 237 were based in the United States with 83 based in the United Kingdom.

The respondents included a combination of both Agari customers and non-customers—74 and 251 respectively. The survey asked a series of questions regarding employee-reported phishing—including reporting mechanism, volume, false positive rate, existing tools for phishing incident response, and time required to investigate phishing. This section of the Q1 2019 report highlights the analysis of responses to these questions.

Key Findings
  • Employees reported an average of 23,063 phishing incidents to the Security Operations Center each year.
  • SOC analysts spent an average of 3.96 hours on a false positive, and 5.88 hours on a valid phish.
  • The average enterprise needs to hire 54 SOC analysts and spends $4.86M to triage and remediate all phishing reports.

Empowering Employees:
Impact of Security Awareness Training on Phishing Reporting

Respondents report that 98% of employees have the ability to report phishing attacks, and often even have a convenient button and/or abuse inbox to forward suspicious messages to the security team. Eighty-eight percent of organizations report using a phishing simulation vendor to test employees’ ability to detect a phishing incident after participating in security awareness training.


Hitting the Panic Button:
How Do Employees Report Phishing?

While the most common method available to employees to report phishing is an abuse@company.com inbox, most companies offer multiple other methods, including filing a help desk trouble ticket, using the native email client such as the Microsoft Office 365 example, or using a third-party email client button like the KnowBe4 phishing button example.


Whether the phishing incident is reported through an inbox or phishing button, the phishing email itself is forwarded to some combination of a security operations center (SOC), help desk support center, for investigation and remediation team. phishing-incident-report-2019In some cases, the mail platform (Microsoft Office 365 or Google Suite) or phishing simulation vendor also receives a copy of the reported phishing messages.

Employee Reported Phishing Incidents Volume and Accuracy

With 98% of employees having the ability to report phishing and 88% being tested regularly on their ability to identify phishing incidents, the next logical question to answer is “What is the volume of employee reported phishing incidents?”

Based on the 304 organizations we surveyed—222 in the United States and 82 in the United Kingdom—employees report more than 23,000 phishing incidents per organization on an annual basis, with a slightly higher number of phishing incidents in UK-based companies.


30% of respondents reported phishing incidents to be between a common range of 12,000 to 36,000 per year.

False Positive Rate

While employees frequently report phishing, the emails they report are not always true phishing incidents.

Security training often encourages users to report any suspicious email. As a result, spam, unwanted marketing emails, as well as legitimate email is often reported as phishing—even when they are not.

When we asked organizations “what percentage of employee phishing reports were determined to be false positives?” companies reported that their false positive rate was 50% on average, with a slightly higher false positive rate in UK-based companies.


Time Required for Triage, Investigation, Forensics, and Remediation


In the survey, respondents were asked: “For employee phishing reports, how much time on average does it take a SOC analyst to triage, investigate, and remediate?” This question was asked in the context of both true phishing incidents and false positive reports.

The overall average across all phishing incidents was 4.9 hours to triage, investigate, and remediate. On average, SOC analysts spent 3.96 hours triaging a false positive, and 5.88 hours triaging, investigating, and remediating a valid phish.

The triage process typically involves a quick investigation of the sender domain and address, URLs, and attachment to determine if the message is potentially malicious. This process is often manual, requires multiple third-party tools, and involves the judgment of the analyst.

By comparing the average false positive to true phish time, we estimate that 67% of SOC analyst time is spent in the triage phase of the process, while only 33% is spent on forensic analysis and remediation.


Reality Check:
A SOC Staffing Snapshot

To determine if SOCs are adequately staffed to handle phishing incidents in a timely manner, respondents were asked about the size of the SOC team.


A full 94% of organizations reported having at least one dedicated SOC analyst. As you might expect, the analysis showed a strong correlation between company size, the number of phishing incidents, and the number of SOC employees.

For example, 41% of organizations with more than 10,000 employees had 20 or more SOC analysts. The same is true of organizations with 60,000 or more phishing incidents per year.

The Staffing Gap

Based on the average number of phishing incidents and the average time to remediation (4.9 hours), the average SOC needs 54 analysts to handle the number of phishing incidents per company. Given that the average number of SOC analysts in our survey is 12.5, there is a staffing gap of at least 41.5 full-time equivalents (FTEs). This gap currently results in most organizations failing to detect phishing incidents, which opens each organization to the possibility of breaches or fraud.

Rising Costs:
Data Breach Economics

According to the 2018 Verizon Data Breach Investigations Report (DBIR), the entry point for 96% of data breaches is email. The average cost of a data breach in the United States is $7.9 million, with a 14% probability of a breach occurring annually, according to Ponemon Institute. If you multiply the average breach cost of $7.9 million by the probability of 14%, the annual breach risk is $1.1 million.

data breach-exfiltration-discovery-2019

Meanwhile, the DBIR finds that the average data breach results in the exfiltration of data within minutes or hours—while the average time-to discovery takes months. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents. Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business to remediate the compromise and contain the breach.

Automate or Else?
Mitigating Breach Risk by Reducing Time-to-Remediation

As part of the phishing incident response survey, we asked respondents how much reducing the response time required for phishing incident response would reduce their breach risk. Overall, businesses felt they could reduce breach risk by 50% by automating the process of phishing incident response.

A 50% reduction in breach risk would result in a $551,025 decrease in annual breach risk for the average business.


Totaling It Up:
The Cost of Manual Response vs. the Savings from Automation

Based on the data captured in the phishing incident response survey, we have all of the factors needed to estimate the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process.


To calculate a custom ROI, visit www.agari.com/roi

A Massive Difference

Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $4.86 million and an average annual breach risk of $1.1 million—for a total cost of $5.96 million per company. Based on the results we’ve seen with our enterprise clients, it is possible to automate the time spent by SOC analysts per phishing incident by 90% or more. In addition, survey respondents estimate that the acceleration in time to remediate phishing incidents results in a 50% reduction in breach risk. Thus, the return on investment of the time saved by SOC analysts translates to $4.37 million and the reduction in breach risk represents a savings of $550,000—for a total savings of $4.92 million.

Close button
Mail Letter

Would you like the confidence to trust your inbox?