Which phishing attack type is most expensive per incident?

Whaling and CEO fraud carry the highest per-incident loss, often exceeding $5M when paired with deepfake voice. BEC averages $4.67M (IBM 2025). Bulk phishing is much lower per incident but accumulates through volume.

How much does a BEC attack cost?

FBI IC3 reported $2.77B in US BEC losses for 2024 across 21,442 complaints. IBM 2025 places the average BEC incident at $4.67M including direct loss, IR, legal, and reputation cost.

Is vishing actually growing?

Yes. Hoxhunt 2026 reports a 1,633% surge in deepfake-enabled vishing in Q1 2025 alone. Helpdesk impersonation has become a routine path to MFA reset and credential takeover.

Quishing delivers the phishing payload through a QR code that bypasses email filtering by encoding the URL as an image. Reports cite ~400% growth over 2024-2025.

Filing 02.00.00Field 27 APR 2026Classification PublicStatus Open

Phishing Cost by Attack Vector

Per-incident loss by category. BEC, spear, whaling, bulk email, vishing, smishing, and quishing have distinct cost profiles. The per-vector field is what determines whether a control investment actually pays back.

Exhibit A

Cost-by-vector summary

REFERENCE

Code	Vector	Avg incident	Volume profile	2026 trend
V-01	Business Email Compromise (BEC)	$4.67M	Persistent	Up 9% YoY
V-02	Spear Phishing	$1.76M	Targeted	Up sharply, AI-assisted
V-03	Whaling / CEO Fraud	$5.10M	Low-volume, high-value	Up sharply
V-04	Bulk Email Phishing	$380K	Mass volume	Flat in count
V-05	Vishing (Voice)	$1.35M	Helpdesk-targeted	Up 1,633% Q1 2025
V-06	Smishing (SMS)	$870K	High-volume	Up ~40% YoY
V-07	Quishing (QR)	$720K	Filter-evasive	Up ~400%

Per-incident figures aggregate direct loss, forensics, IR, legal, and proportional regulatory exposure where applicable.[IBM 2025, IC3 2024, APWG 2025, Hoxhunt 2026]

Vector V-01

Business Email Compromise (BEC)

TOP LOSS

Average per incident

$4.67M

per successful incident

Source [IBM 2025 / IC3 2024]

Attacker spoofs or compromises an executive or vendor mailbox, then redirects a wire payment or invoice. The single largest loss-by-volume category in the IC3 docket: $2.77B aggregate US loss in 2024 across 21,442 complaints. Recovery rate sits below 30 percent.

Indicators

Last-minute payment-method change. Reply-to address differs from from-address. Out-of-pattern urgency. Approval bypass requests.

Vector V-02

Spear Phishing

Average per incident

$1.76M

per successful incident

Source [Verizon DBIR 2025]

Targeted, researched message to a specific individual. AI-spear-phish achieves a 54% click-through against a 12% baseline for human-written attempts (Hoxhunt). Hand-crafted volume now matches automation output.

Indicators

Personalised from public OSINT. Reference to recent calendar events. Sender domain similar but not identical to a known partner.

Vector V-03

Whaling / CEO Fraud

Average per incident

$5.10M

per successful incident

Source [IBM 2025]

C-suite impersonation, often paired with deepfake voice. The 2024 deepfake-call wire-transfer wave drove $200M+ in Q1 2025 reported losses. Boards are now in scope as both attack target and reputational risk owner.

Indicators

First-time wire request from C-suite. Out-of-band channel switch (call to confirm an email). Atypical hour.

Vector V-04

Bulk Email Phishing

Average per incident

$380K

per successful incident

Source [APWG 2025]

Mass credential-harvest emails. Per-incident cost is low, but APWG counts tens of thousands of distinct campaigns per quarter. Typically routes into credential-stuffing follow-on attacks. The one phishing category where filtering still meaningfully reduces volume.

Indicators

Generic salutation. Mismatched-domain links. Urgency tied to account closure or password reset.

Vector V-05

Vishing (Voice)

TRENDING

Average per incident

$1.35M

per successful incident

Source [Hoxhunt 2026]

Phone-based social engineering. The MGM Resorts incident (2023) is the canonical case. Deepfake voice cloning from 60 seconds of source audio is now a commodity capability. Helpdesk impersonation enables MFA bypass.

Indicators

Caller knows internal jargon. Pressure to bypass identity verification. Refusal of callback. Background noise spoofing.

Vector V-06

Smishing (SMS)

Average per incident

$870K

per successful incident

Source [APWG 2025]

Text-message phishing. Frequently paired with MFA prompt-bombing once credentials are harvested. Logistics-themed lures (carrier delivery) and tax-themed lures dominate by season.

Indicators

Shortened URL. Sender ID mismatch. Reference to a package or shipment user did not initiate.

Vector V-07

Quishing (QR)

Average per incident

$720K

per successful incident

Source [Keepnet 2025]

Phishing payload delivered via a QR code embedded as an image. Bypasses URL-rewriting and link-filtering at the email gateway. Mobile-first execution off the corporate network removes endpoint controls from the path.

Indicators

QR-only call to action. Internal-pretext (parking ticket, payroll). Image-only message body.

Exhibit C

Phishing Cost by Attack Vector

Cost-by-vector summary

Business Email Compromise (BEC)

Spear Phishing

Whaling / CEO Fraud

Bulk Email Phishing

Vishing (Voice)

Smishing (SMS)

Quishing (QR)

Cross references