In 2023, a small accounting firm in Manchester received an email that appeared to be from one of their long-standing clients, requesting a change of bank details for an upcoming payment. The email matched the client's usual tone and referenced a real invoice. The firm updated the details and transferred £47,000.
The money was gone within hours. Moved through three accounts and withdrawn. Unrecoverable.
But £47,000 was just the beginning of what this attack cost them.
The costs you see
Let's start with the obvious ones — the numbers that show up immediately.
Direct financial loss This is the money that was actually stolen. For Business Email Compromise (BEC) attacks — the type that hit our accounting firm — the FBI's Internet Crime Complaint Center reported $2.9 billion in reported losses in 2023 across 21,489 complaints. That's an average of roughly $137,000 per incident.
But averages are misleading. For small businesses, BEC losses typically range from £10,000 to £100,000. For larger targets, single incidents have exceeded $50 million — Toyota Boshoku lost $37 million to BEC in 2019.
Ransom payments (if ransomware is involved) Not all phishing leads to ransomware, but when it does, the numbers are brutal. The median ransom payment in 2024 was $2 million according to Sophos's State of Ransomware report — a fivefold increase from $400,000 the previous year. And according to Verizon's DBIR, 94% of malware is delivered via email, making phishing the primary entry point for ransomware attacks.
The costs that follow
Here's where the real damage starts accumulating. These are the costs that aren't in the initial incident report but show up over weeks and months.
Investigation and forensics After a breach, you need to understand what happened, what was accessed, and whether the attacker still has access. For a small business, hiring a cybersecurity incident response firm typically costs £5,000-25,000. For mid-size companies, IBM's 2024 Cost of a Data Breach report puts the average detection and escalation cost at $1.63 million (though this includes larger organisations skewing the number up).
Even if you handle it internally, the investigation consumes enormous amounts of staff time. Our accounting firm spent three weeks with their IT consultant tracing the breach, reviewing all email rules, checking for further compromises, and verifying that no other client data had been accessed.
Legal costs If personal data was exposed — and email compromises often expose names, addresses, financial details, and more — you may have legal obligations. Under UK GDPR, you must notify the ICO within 72 hours of becoming aware of a qualifying breach. You may also need to notify affected individuals.
Legal advice for a data breach typically costs £3,000-15,000 for a small business, more if litigation follows. If you're handling financial data, regulatory requirements are even stricter.
Notification costs Sounds minor, but notifying affected customers takes real time and money. Template letters, individual communications, setting up helplines or FAQ pages, responding to concerned clients. For the accounting firm, this meant individually contacting every client whose data might have been in the compromised inbox — even though only one client's payment was redirected.
System remediation Passwords reset. MFA deployed (should have been there before). Email rules audited. New security tools purchased. Consultants engaged. For a small business, remediation typically runs £2,000-10,000. For mid-size, much more. The IBM report puts the average post-breach response cost at $1.35 million across all organisation sizes.
The costs nobody talks about
Downtime IBM's 2024 report found that the average time to identify and contain a data breach is 258 days. That doesn't mean your business is down for 258 days — but it does mean you're operating in a degraded, distracted state for months.
The accounting firm had to temporarily stop processing client payments while they verified their systems were clean. That meant delayed invoicing, delayed payments to their suppliers, and three weeks where the business was effectively paralysed for its core function.
For businesses hit by ransomware after a phishing attack, the average downtime is 24 days (Coveware, 2024). At £10,000-50,000/day in lost revenue for a small business, that alone can be existential.
Employee time Every hour your team spends dealing with a breach is an hour they're not doing their actual jobs. In the weeks following a phishing attack, expect management to lose 15-25% of their productive time to breach-related activities: meetings with consultants, reviewing security measures, communicating with clients, dealing with insurance claims.
For a 10-person company with an average salary of £35,000, losing 20% productivity across the team for one month costs roughly £5,800 in salary alone — not counting the opportunity cost of work that didn't get done.
Reputation and customer churn This is the big one that's hardest to quantify. IBM's report found that lost business — including customer churn, reputation damage, and lost new business — was the largest cost category, averaging $1.47 million.
Our accounting firm lost two clients directly because of the breach. Not because those clients were affected by the attack — but because they lost confidence in the firm's ability to handle sensitive financial information. Two clients at £3,000/year each is £6,000 in annual recurring revenue. Over five years, that's £30,000 from client churn alone.
For a larger business, the reputational damage can be devastating. After the 2020 Twitter hack (which started with a phone-based social engineering attack on employees), Twitter's stock dropped 4% and the company faced congressional hearings and FTC scrutiny.
Insurance premium increases If you have cyber insurance, expect your premiums to increase 20-30% after a claim. If you didn't have it, you'll probably get it now — and it won't be cheap, because you're now a demonstrated risk. Cyber insurance for a small business typically costs £500-3,000/year pre-claim, and significantly more post-claim.
Regulatory fines Under UK GDPR, the ICO can issue fines up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious violations. Most small business fines are much smaller — typically £5,000-50,000 — but they're non-trivial. In 2022, the ICO fined Interserve Group £4.4 million after a phishing attack exposed the personal data of up to 113,000 employees.
Putting the numbers together: a real scenario
Let's map the full cost for our accounting firm — a 15-person company that lost £47,000 to a BEC attack:
| Cost category | Amount |
|---|---|
| Direct financial loss | £47,000 |
| IT consultant / forensics | £8,000 |
| Legal advice | £5,500 |
| System remediation (new tools, MFA rollout, email audit) | £3,200 |
| Client notification and communication | £1,500 |
| Employee productivity loss (3 weeks) | £7,000 |
| Lost clients (2 clients, projected 3-year value) | £18,000 |
| Insurance premium increase (over 3 years) | £2,400 |
| Total estimated cost | £92,600 |
The £47,000 that was stolen — the number in the initial police report — was barely half the true cost.
And this is a relatively mild scenario. No ransomware. No regulatory fine. No lawsuit. No extended downtime. Just a single spoofed email and one misdirected payment.
The enterprise numbers are staggering
IBM's 2024 Cost of a Data Breach Report (based on 604 organisations across 16 countries) puts the global average cost of a data breach at $4.88 million — an all-time high and a 10% increase over the previous year.
Some specifics:
- Healthcare had the highest average cost at $9.77 million per breach
- Phishing was the most common initial attack vector, responsible for 16% of breaches, with an average cost of $4.88 million each
- Breaches involving stolen credentials (often obtained via phishing) averaged $4.81 million
- Organisations using AI-powered security tools saved an average of $2.22 million per breach compared to those without
- It took an average of 292 days to identify and contain breaches involving stolen credentials
Prevention vs. cure: the maths
Here's what basic email security costs for a 15-person company (from our small business guide):
| Prevention measure | Annual cost |
|---|---|
| Business email (Google Workspace) | £1,035 |
| MFA enforcement | Free |
| SPF/DKIM/DMARC setup | Free (one-time effort) |
| Password manager | £480 |
| Hardware security keys | £375 (one-time) |
| Quarterly security training | £200 |
| Email security tool | £500-1,500 |
| Total year one | £2,590-3,590 |
| Total subsequent years | £2,215-3,215 |
Total prevention cost: roughly £2,500-3,500 per year. Total cost of one successful phishing attack: £92,600 (in our mild example).
That's a 26:1 ratio. You'd need to go 26 years without an attack for prevention to cost more than a single incident. Given that half of UK businesses report a cyber incident annually, those odds are firmly in prevention's favour.
What to take from this
The cost of phishing isn't the money that was stolen. It's the investigation, the legal fees, the remediation, the lost productivity, the damaged relationships, the increased insurance premiums, and the persistent anxiety about whether you've really fixed everything.
Most businesses that experience a significant phishing attack don't fail because of the direct financial loss. They struggle because of the cascade of secondary costs that accumulate over weeks and months, pulling focus and resources away from the business at exactly the wrong time.
The most expensive security investment is the one you make after the breach.
