Which industry has the highest phishing breach cost?

Healthcare has the highest average phishing breach cost at $9.77 million, more than double the global average of $4.88 million. Healthcare has held this position for 14 consecutive years due to the high value of patient health information, strict HIPAA regulations, and legacy medical systems that are difficult to secure.

How much does a phishing attack cost a small business?

The average data breach cost for small businesses (25-299 employees) is $254,000, while the overall SMB average is $3.31 million. More critically, 60% of small businesses that suffer a data breach close within 6 months. 68% of SMB breaches start with a single untrained employee clicking a phishing link.

Which industry is most targeted by phishing?

Financial services receives 23.5% of all phishing attacks globally (APWG 2025), making it the most targeted sector. However, manufacturing is the fastest-growing target with an 18% year-over-year increase in phishing attacks, primarily as an entry point for ransomware.

What are the regulatory fines for phishing breaches by industry?

Regulatory fines vary significantly by industry. Healthcare faces HIPAA fines up to $1.5M per year per violation category. Financial services faces PCI-DSS fines of $5,000-100,000 per month plus SEC disclosure requirements. Energy sector faces NERC CIP fines up to $1M per day. GDPR applies across all industries with fines up to 4% of annual global revenue or EUR 20M.

How long does it take to detect a phishing breach by industry?

Detection times vary significantly: Government has the longest at 289 days, followed by Healthcare at 281 days, Manufacturing at 271 days, Energy at 254 days, Education at 246 days, Financial Services at 238 days, and Technology at 217 days. Longer detection times correlate directly with higher breach costs.

Phishing Attack Costs by Industry: Healthcare, Finance, Manufacturing & SMB (2026)

Industry-specific phishing costs that CISOs can use directly in board presentations. Healthcare leads at $9.77M, more than double the global average.

Updated 15 April 2026

Industry	Avg Breach Cost	Common Attack	Detection Time	YoY Trend
Healthcare	$9.77M	Spear phishing / credential theft	281 days	+8% YoY
Financial Services	$5.90M	BEC / wire transfer fraud	238 days	+6% YoY
Technology	$5.07M	Credential harvesting / supply chain	217 days	+4% YoY
Energy / Utilities	$4.72M	Spear phishing / OT access	254 days	+12% YoY
Manufacturing	$4.47M	Phishing to ransomware	271 days	+18% YoY
Government / Public Sector	$4.33M	Spear phishing / credential theft	289 days	+7% YoY
Education	$3.65M	Bulk phishing / credential harvesting	246 days	+9% YoY

Source: IBM Cost of a Data Breach Report 2025. Breach costs represent averages across all attack vectors; phishing-initiated breaches may vary.

Healthcare

Regulations: HIPAA, HITECH Act

Avg Breach Cost

$9.77M

Detection Time

281 days

Healthcare has the highest average breach cost of any industry for 14 consecutive years. Patient health information (PHI) is worth 10-40x more than credit card data on dark web markets. HIPAA violations can reach $1.5M per year per violation category. The sector faces unique challenges: legacy medical systems cannot be easily patched, clinicians prioritise patient care over security protocols, and interconnected health information exchanges expand the attack surface.

Key Risk Factors

▸PHI worth 10-40x credit card data
▸Legacy medical systems
▸HIPAA fines up to $1.5M/yr
▸Interconnected health exchanges

Real-World Example

Change Healthcare (2024): a phishing-initiated breach led to $872M+ in estimated costs, disrupting claims processing for thousands of healthcare providers across the United States for weeks.

Financial Services

Regulations: PCI-DSS, SOX, GLBA, SEC

Avg Breach Cost

$5.90M

Detection Time

238 days

Financial services receive 23.5% of all phishing attacks globally (APWG 2025), making it the most targeted sector. BEC attacks are particularly devastating because wire transfers are routine business operations. The sector faces strict regulatory oversight from multiple bodies: SEC cybersecurity disclosure rules (4-day reporting), PCI-DSS for payment data, SOX for financial controls, and GLBA for consumer financial privacy.

Key Risk Factors

▸23.5% of all phishing targets
▸Wire transfers as routine operations
▸Multi-regulator oversight
▸High-value transaction authority

Real-World Example

Crelan Bank (Belgium, 2016) lost $75.8M to CEO fraud. The Google/Facebook BEC fraud ($100M, 2013-2015) exploited routine vendor invoice processes at scale.

Technology

Regulations: SOC 2, GDPR, state laws

Avg Breach Cost

$5.07M

Detection Time

217 days

Technology companies face sophisticated attackers targeting source code, customer data, and supply chain access. A single compromised developer credential can expose thousands of downstream customers. Tech companies often have large attack surfaces due to cloud infrastructure, SaaS integrations, and remote workforces. The 2022 OKTAPUS campaign specifically targeted tech companies via SMS phishing.

Key Risk Factors

▸Source code and IP exposure
▸Supply chain downstream risk
▸Large cloud attack surface
▸Remote workforce targeting

Real-World Example

Twilio (2022): SMS phishing led to breach of 9,931 accounts across 130+ organisations. The RSA Security breach (2011, $66M) compromised SecurID tokens used by defence contractors.

Energy / Utilities

Regulations: NERC CIP, TSA directives

Avg Breach Cost

$4.72M

Detection Time

254 days

Energy sector breaches carry disproportionate operational risk because phishing can provide initial access to operational technology (OT) networks controlling physical infrastructure. The convergence of IT and OT systems means an email compromise can potentially impact power generation, transmission, or pipeline operations. NERC CIP violations can reach $1M per day.

Key Risk Factors

▸IT/OT convergence risk
▸Critical infrastructure impact
▸NERC CIP fines up to $1M/day
▸Nation-state threat actors

Real-World Example

Colonial Pipeline (2021): while ransomware was the payload, initial access was via compromised credentials. The attack disrupted fuel supply to the US East Coast for days, costing an estimated $4.4M in ransom alone plus hundreds of millions in economic impact.

Manufacturing

Regulations: ITAR, CMMC, GDPR

Avg Breach Cost

$4.47M

Detection Time

271 days

Manufacturing is the fastest-growing target for phishing attacks, with an 18% year-over-year increase. Phishing is the primary entry point for ransomware attacks that halt production lines. Average manufacturing downtime costs $22,000 per minute. Many manufacturers have limited security teams, legacy industrial control systems, and suppliers with varying security maturity.

Key Risk Factors

▸$22,000/min production downtime
▸Legacy industrial control systems
▸Supply chain dependencies
▸Limited security teams

Real-World Example

Clorox (2023): a social engineering attack led to a breach costing $49M in estimated damages, disrupting production and distribution for weeks.

Government / Public Sector

Regulations: FedRAMP, FISMA, state laws

Avg Breach Cost

$4.33M

Detection Time

289 days

Government agencies face persistent targeting from both criminal and nation-state actors. Phishing campaigns against government employees often target credentials for accessing classified or sensitive citizen data. The sector has the longest average detection time (289 days) due to complex, legacy IT environments. Breach notification requirements vary significantly between federal, state, and local agencies.

Key Risk Factors

▸Nation-state targeting
▸Longest detection time (289 days)
▸Legacy IT infrastructure
▸Citizen data sensitivity

Real-World Example

The 2020 SolarWinds campaign (attributed to nation-state actors) compromised multiple US government agencies. While the initial vector was supply chain, phishing was used for lateral movement and persistence.

Education

Regulations: FERPA, state laws, GDPR (international)

Avg Breach Cost

$3.65M

Detection Time

246 days

Educational institutions face high vulnerability due to open network cultures, large numbers of users with varying security awareness, and limited IT security budgets. Universities are particularly targeted for research data, student financial information, and as pivot points into connected research networks. The transition to remote learning expanded attack surfaces significantly.

Key Risk Factors

▸Open network culture
▸Limited security budgets
▸Large, transient user populations
▸Research data targeting

Real-World Example

Multiple UK universities were targeted in 2024 by coordinated phishing campaigns impersonating Office 365 login pages. QR phishing on campus (fake parking and Wi-Fi codes) emerged as a growing vector.

Small & Medium Businesses: The Existential Threat

Small and medium businesses face a fundamentally different risk profile from enterprise. While the per-incident cost is lower ($3.31M average), the impact is existential: 60% of SMBs that suffer a data breach close within 6 months. For companies with 25-299 employees, the average breach cost is $254,000. 68% of SMB breaches start with a single untrained employee clicking a phishing link.

Avg Breach Cost

$3.31M

Closure Rate

60%

within 6 months of a breach

Breaches from Untrained Staff

68%

Avg Cost (25-299 Employees)

$254K

Key Challenges

▸No dedicated security team (43% of SMBs have zero IT security staff)
▸Limited budget for security tools and training
▸Disproportionate reliance on individual employees
▸Less likely to have incident response plans
▸Insurance coverage gaps (average cyber insurance is $1,740/year but covers only $1M)

Cost-Effective Recommendations

▸Monthly phishing simulation training ($2-5/user/month)
▸Phishing-resistant MFA on all accounts (FIDO2/passkeys)
▸DMARC email authentication (free to implement)
▸Managed email security gateway ($12-25/user/year)
▸Written incident response plan (free to create)

Calculate Your Risk

Industry-specific calculator

Regulatory Fines

GDPR, HIPAA, SEC, state laws

Prevention ROI

Industry-specific training ROI