A phishing email looks small: one message, one link, one moment of misplaced trust. The cost looks small too — a stolen password feels like something you fix by changing it. That framing is exactly why phishing is so dangerous. The click is not the attack. It’s the entrance. What happens below the waterline is where organizations actually lose money, customers, and sometimes the ability to operate at all.
Phishing is the front door to almost everything else
IBM’s 2025 report found phishing is now the most common initial access vector, behind about 16% of all breaches, at an average cost of roughly $4.8 million. [1] The global average across all breaches was $4.44 million, rising to $10.22 million in the US. [2] But “a breach” is a category, not an outcome. Once an attacker has a working credential or a hijacked session, that same click can branch into far more expensive endings: ransomware and extortion (average $5.08 million [3]); business email compromise ($2.77 billion across 21,442 incidents in 2024 [4]); and data theft, with customer personal data stolen in 53% of breaches.
The hidden weight is operational
The line-item cost is the part everyone quotes. The part that sinks companies is the disruption. In IBM’s data, 86% of breached organizations reported operational disruption, and the average breach took around 241 days to identify and contain — 279 in healthcare, the costliest sector at $7.42 million. [5] Nearly half of breached companies raised prices to cover the costs.
What it looks like when the iceberg surfaces
In April 2025, UK retailer Marks & Spencer was hit by a ransomware attack whose entry point was social engineering. [6] The damage was anything but small:
- An estimated £300 million (~$403 million) hit to operating profit. [6]
- No online clothing orders for 46 days; staff reverted to pen-and-paper to track stock. [7]
- Roughly £750 million wiped off market value at one point.
- The share of customers who’d recommend M&S fell from about 87% to 73%. [8]
- The combined M&S and Co-op incident was later assessed as potentially costing up to £440 million; Co-op confirmed all 6.5 million members’ data was compromised. [9]
No single employee “lost £300 million.” Someone was socially engineered, and everything below the waterline followed.
The costs you can’t expense
Even the headline figures understate it. Reputation and customer churn are a slow, compounding revenue leak. Incidents reshape careers, not just balance sheets. And months of response, forensics and rebuild work is time the business isn’t spending on growth.
Stop the breach at the front door
Most breaches begin with one click on one convincing page. Catch it as it loads — before the credential, before the ransomware.
Protect your business →Why this changes how you think about phishing
If you treat phishing as an email problem, you measure success by click rates. If you treat it as the entrance to a breach, the goal changes: not to slightly reduce how often people click, but to make sure the click can’t open the door at all. The click is cheap. Everything under it is not.