Osterman Research and IRONSCALES have published research showing that phishing now costs USD $51,948 per security analyst each year.
The study compares current phishing defence costs with a benchmark established just before ChatGPT became publicly available.
The findings suggest a shift in the economics of email-based attacks. Security teams are handling individual phishing emails more quickly than they did three years ago, but the overall burden has risen as attackers use generative AI to produce and launch more campaigns.
Phishing now accounts for 36.5% of security team working hours, up from 33.5% in 2022, according to the research. Annual cost per analyst rose 13.6% over the same period, from USD $45,726 to USD $51,948.
The survey covered 128 IT and security professionals at organisations with 1,000 to 5,000 employees. Osterman and IRONSCALES said the comparison provides a before-and-after view of how generative AI has changed phishing activity since late 2022.
Efficiency gains
Security teams did improve the speed at which they handled each incident. The average time to resolve a phishing email fell 16%, to 23.2 minutes from 27.5 minutes, while the cost per phishing email dropped 12%, to USD $27.51 from USD $31.32.
Those gains were outweighed by what appears to be a rise in attack volume. Half of organisations now rate phishing as a high or extreme threat, up from one-third in the earlier survey.
Respondents also pointed to changes in the nature of phishing attacks. AI-generated messages are increasingly free of the grammatical errors and other obvious warning signs employees were trained to spot in earlier campaigns.
Deepfakes featured prominently in the results. Some 62.5% of respondents said deepfake attacks are immediately disruptive, and deepfake voice and video received the highest share of "extremely impactful" ratings among the emerging threats covered by the survey.
Michael Sampson, Principal Analyst at Osterman Research, said the two studies offered a useful comparison point. "The timing of these two studies creates a natural experiment. Our 2022 report didn't mention artificial intelligence once. This one has AI on every page. Organisations remediate phishing incidents 16% faster but spend 9% more of their annual hours doing so. Security teams got more efficient at fighting phishing, but attackers got even more efficient at creating phishing attacks. So far, the threat actors have gained the upper hand," Sampson said.
Attack pressure
The report identifies three areas where AI has strengthened attackers: volume, speed and evasiveness. Tasks that once required hours or days of manual preparation, such as researching targets and tailoring messages, can now be completed in minutes.
The shorter preparation cycle allows faster campaign turnover and more frequent attacks. The study also found that attackers are using AI to test defensive settings and alter campaign characteristics to avoid detection.
Four in 10 respondents expect all three pressures to worsen over the next year. Only a minority expect conditions to improve, and that view depends on the assumption that defenders can adopt AI tools more quickly than attackers.
The findings align with broader industry data cited in the report. It referred to recent Verizon research that found a doubling of AI-assisted text in malicious emails compared with prior years, with phishing accounting for 44% of AI-assisted initial access attempts.
Audian Paxson, Principal Technical Strategist at IRONSCALES, said the cost structure behind phishing had changed. "The economics of phishing have fundamentally changed. Before generative AI, personalizing a phishing attack required manual research, which limited it to high-value targets. Now, personalization is cheap and fast, so it can be applied across an entire organization. The defensive model that worked three years ago (detect, investigate, respond) is being overwhelmed by volume. Organisations need to get ahead of attacks, not just respond to them faster," Paxson said.
The report also suggests security teams do not expect relief soon. Only one in five respondents said phishing would become easier to manage over the next 12 months, while most expect the workload to stay the same or increase as AI-generated attacks become more sophisticated.
IRONSCALES has introduced a set of AI tools aimed at helping organisations anticipate attacks, including products for threat research, forensic investigation and phishing simulation. It also offers deepfake protection for Microsoft Teams using visual and audio analysis.
IRONSCALES says it protects more than 17,000 organisations worldwide, while Osterman Research focuses on analysis of technology trends in messaging, collaboration and security. The report's central finding is that faster handling has not offset the growing time and cost organisations now spend dealing with phishing.