Organizations now remediate individual phishing emails faster than ever, but the total burden of phishing on security teams has increased, according to new research from Osterman Research commissioned by IRONSCALES.
The report, The (Higher) Business Cost of Phishing, surveyed 128 IT and security decision-makers at organizations with 1,000 to 5,000 employees. It found that the share of IT and security working hours consumed by phishing has climbed from 33.5% to 36.5% since 2022, when this report was previously commissioned.
In dollar terms, phishing now costs $51,948 of every composite IT or security professional’s annual salary. The per-incident cost dropped from $31.32 to $27.51 per email, a 12% reduction.
But volume has overwhelmed those gains. For a team of ten, that 36.5% figure is the equivalent of nearly four full-time employees doing absolutely nothing but responding to phishing.
AI Is Driving Both Sides of the Equation
Half of all organizations now rate phishing as a high or extreme threat, up from a third in 2022. Four in ten respondents expect attack volume, speed, and evasiveness to worsen over the next 12 months as attackers use AI to automate personalization and probe defenses for weaknesses.
Audian Paxson, Principal Technical Strategist at IRONSCALES, told Expert Insights: “AI gave both sides new tools. Defenders used it to detect and respond faster. Attackers used it to generate more campaigns at a scale that was previously impossible. The net result is an arms race where defenders are running faster just to stay in place.”
The report highlights a shift in the types of attacks causing the most concern. Multi-stage phishing that crosses channels, starting in email and moving to a voice call or text message, ranked as the highest-concern attack type. 62.5% of respondents said deepfake attacks are immediately disruptive to their operations.
Anuraag Singh, a cybersecurity expert and digital forensics trainer at SysTools Software, told Expert Insights that voice cloning has made this shift tangible. “Criminals now take a couple of sentences from a LinkedIn post or a YouTube video, clone an executive’s voice, and call an employee,” he said. “What was once an attack that only a nation-state could pull off has become cheap and easy for mid-level criminals.”
Internal phishing from compromised accounts, post-delivery link weaponization, and AI-generated impersonation were all flagged as high concerns by more than half of respondents. These are threats that exploit trust and feel legitimate, and they are designed to bypass the detection systems and awareness training most organizations already have in place.
For security teams already stretched thin, the message from the data is that faster defenses alone are not closing the gap. The volume and sophistication of AI-powered phishing is growing faster than the efficiency gains AI-powered defenses are delivering.
