Our quarterly analysis finds that business email compromise and brand impersonation scams continue to evolve at a relentless pace, and could even put major US presidential candidates at risk.

Download the report for our latest statistics, including:

  • Nearly 30% of BEC attacks now originate from compromised accounts
  • Employee-reported phishing attacks reaching SOCs surge 25%
  • DMARC adoption rises, but 90% of the Fortune 500 are still unprotected
  • Over 90% of current presidential candidates remain unprotected against email threats


Phishing Incident Response Trends

Key Findings

Employees report an average of 29,028 phishing incidents to the security operations center each year per organization—a 25% increase in just 90 days.

The average time it takes to triage, investigate, and remediate reported phishing incidents jumped to 6.5 hours, a 35% increase in one quarter.

Costs for the security operations center to triage, investigate, and remediate employees reported phishing nearly doubled—exceeding $8.1 million.

Incident Response Trends
SOCs See Reported Phishing Attacks Jump 25%

In today’s threat environment, there is no possible way to completely remove the risk that an employee will fall for a phishing email designed to defraud the company or steal sensitive information as part of a data breach. During the first quarter of 2019, the time required for security operations centers (SOCs) to respond to employee-reported phishing attacks spiked 32% in just 90 days.

For US-based companies, this matters—a lot. Today, the average cost of a breach is approaching $8 million, and the probability of falling victim to a breach is now 14% per year, according to Ponemon Institute. And it’s getting worse, in part because of the very mechanism businesses are putting in place to mitigate the issue.

The Unexpected Consequences of Employee-Reported Phishing Attacks

In addition to security awareness training and phishing simulations, the vast majority of businesses have provided employees with the ability to report suspected phishing emails. It is critical to understand how to leverage this threat feed to discover and contain breaches before data is exfiltrated.

All too often, employee-reported phishing emails end up flooding SOCs with more incidents to triage, investigate, and remediate than they can handle. As a result, it has become critically important for businesses to find ways to streamline and automate these processes. Otherwise, the time it takes to discover and resolve breaches will only grow longer—while valuable data, intellectual IP, and other important business information are exfiltrated by cybercriminals.

Inside the ACID Phishing Incident Response Survey

Every quarter, ACID surveys SOC professionals at 280 organizations ranging in size from 1,000 employees to 209,000 employees in order to get a read on incident response issues. This quarter’s survey participants include 176 respondents based in the United States and 84 in the United Kingdom.

The survey asks a series of questions regarding employee-reported phishing—including reporting mechanism, volume, false positive rate, existing tools for phishing incident response, and time required to investigate phishing. This section of the Q2 2019 Email Fraud and Identity Trends report highlights analysis of the responses to these questions.

Employee Empowerment Evolves
Organizations Change Tactics for Employee Reporting

Ninety-five percent of this quarter’s survey respondents report employees in their organizations have the ability to report phishing attacks, often via a convenient button and/or abuse inbox for forwarding suspicious messages to the security team.

While this is down 3% quarter-over-quarter, a growing number of organizations are adopting phishing simulations to test employees’ ability to detect a phishing incident after participating in security awareness training. A full 92% of this quarter’s survey respondents report their organizations use such simulations, up 4% from the previous quarter. In most cases, these simulations are implemented via an outside vendor to provide an objective assessment of security vulnerabilities.


Catching Phish
How Employees Report Suspected Attacks

Most companies offer multiple reporting methods, including filing a help desk trouble ticket, using the native email client phishing button, or implementing a third-party client such as the KnowBe4 phishing button. But today, the most common mechanism available to employees to report phishing is an abuse@company.com inbox.

Whether the phishing incident is reported through an inbox or a phishing button, the phishing email itself is forwarded to some combination of a security operations center or help desk support center, for investigation and remediation. In some cases, the mail platform (Microsoft Office 365 or Gmail) or phishing simulation vendor also receives a copy of the reported phishing messages.


Employee-Reported Incidents: Volume and Accuracy

With so much empowerment, training, and testing designed to help employees recognize and report phishing incidents, just how many suspected attacks are reported? What about accuracy?

Based on the results of this quarter’s survey, respondents report roughly 29,028 phishing incidents per organization on an annual basis, with a slightly lower number of phishing incidents in UK-based companies.


In all, 56% of respondents reported a number of phishing incidents ranging from 12,000 to 36,000 per year.

Employee-Reported Incidents: False Positive Rate Rises 10%

The emails employee report are not always true phishing incidents. Security training often encourages users to report any suspicious email. As a result, spam, unwanted marketing emails, as well as legitimate email messages are often reported as phishing—even when they are not. In the first quarter of 2019, the false positive rate for employee-reported phishing incidents climbed 10% on a global basis. In the United States, the rate rose from 49% to 56%, while the United Kingdom saw a 3% decline over ninety days.


Time Required for Triage, Investigation, Forensics, and Remediation


Each quarter’s survey participants are asked: For employee phishing reports, how much time on average does it take a SOC analyst to triage, investigate, and remediate?” both in terms of true phishing incidents and false positive reports.

Response Times Climbing Fast

On a global basis, the overall average across all phishing incidents is now 6.5 hours to triage, investigate, and remediate. That number is up 32% from 4.9 hours in the course of ninety days. In the United States, the rate is up 1.86 hours, while in the United Kingdom, the rate is up by nearly a full hour

On average, SOC analysts now spend 5.58 hours triaging a false positive, compared to 3.96 hours in the previous quarter. And they spend an average of 6.64 hours triaging, investigating, and remediating a valid phish—an increase of .76 hours during the same time period.


The triage process generally involves a quick investigation of the sender domain and address, included links, and attachments to determine if the message is potentially malicious. This process is often manual, requires multiple third-party tools, and involves the judgment of the analyst—something that is not always 100% reliable.

SOC Staffing Snapshot
Headcount Needs Nearly Double in 90 Days

In the face of this continuous barrage of phishing incidents, the average number of SOC analysts per organization hit 14.6 in the first quarter of 2019—up from 12.5 quarter-on-quarter.


More than 90% of organizations report having at least one dedicated SOC analyst. Not surprisingly, the analysis showed a strong correlation between company size, the number of phishing incidents, and the number of SOC employees.

For example, 41% of organizations with more than 10,000 employees have 20 or more SOC analysts. The same is true of organizations with 60,000 or more phishing incidents per year.

The Q2 Staffing Gap

Based on the average number of phishing incidents and the average time to remediation (6.5 hours), the average SOC needs 90 analysts to handle the number of phishing incidents per company. Given that the average number of SOC analysts in our survey is 14.6, there is a widening staffing gap of at least 76 full-time equivalents (FTEs). This gap currently results in organizations failing to detect phishing incidents, which opens each organization to the possibility of breaches or fraud.

Data Breach Economics
Risk Reductions from Automation

Today, the entry point for 96% of all data breaches is a well-targeted email, according to the 2018 Verizon Data Breach Investigations Report (DBIR). The average cost of a data breach in the United States is now $7.9 million, and organizations face an average 14% probability of suffering a breach within the next year, according to Ponemon Institute. If you multiply the average breach cost of $7.9 million by the probability of 14%, the annual breach risk is $1.1 million.

data breach-risk reduction-exfiltration-discovery-2019

Meanwhile, the Verizon DBIR finds that the average data breach results in the exfiltration of data within minutes or hours—while the average time-to-discovery takes months. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents. Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business to remediate the compromise and contain the breach.

Q2 Automation Index

As part of our quarterly phishing incident response survey, we asked respondents how much reducing the response time required for phishing incident response would reduce their breach risk. Overall, this quarter’s respondents felt their business could reduce breach risk by an average of 51% by automating the process of phishing incident response.

In the United States, that figure rose 2% from the previous quarter to an average 53% reduction in breach risk, while in the United Kingdom, estimates dropped 3% during the same period, to an average 45% reduction.

On a global basis, a 51% reduction in breach risk would result in a $561,025 decrease in annual breach risk for the average business.


Totaling It Up
The Cost of Manual Response vs. the Savings from Automation

Based on the data captured in this quarter’s phishing incident response survey, it’s possible to establish the variables needed to estimate the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process.

cost of response-save automation-2019

To calculate a custom ROI for your organization, visit agari.com/roi

Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $8.1 million and an average annual breach risk of $1.1 million—for a total cost of $9.2 million per company. By implementing automated phishing incident response processes that reduce the time to triage, investigate, and remediate phishing incidents by 90%, and the time to discover and remediate data breaches by up to 51%, organizations could save $7.29 million in SOC costs and $561,000 in breach risk—for a total savings of $7.85 million.

Close button
Mail Letter

Would you like the confidence to trust your inbox?