78% of organizations were hit by an email breach in the past 12 months, according to the Email Security Breach Report 2025 by Barracuda. Phishing, impersonation, and account takeover continue to drive incidents that often lead to ransomware and data loss.
Breaches are widespread and interconnected
Phishing and spear phishing were the most common breach types, followed by business email compromise and account takeover. These attacks often overlap. A single phishing email can expose credentials that attackers later use to impersonate staff, steal data, or spread malware across the network.
Email-based threats now blend multiple techniques, which makes filtering less effective and detection speed more important.
Reputational harm was the most common consequence, reported by 41% of respondents. Many also experienced downtime, business disruption, and lost productivity. Roughly a third lost sensitive data, and roughly one in four lost new business or existing customers.
Reputational damage and business interruption can slow growth for months. Customers often lose trust faster than companies can rebuild it.
Smaller firms pay more per employee
The average cost of responding to and recovering from an email breach was $217,068. Companies with 50 to 100 employees reported average costs of $145,921, while those with 1,000 to 2,000 employees spent an average of $364,132.
On a per-person basis, smaller firms carried the heavier load. Their average recovery cost per employee was $1,946, compared to $243 for larger organizations. The report points out that smaller firms often lack the staff or automation to handle incidents, which drives up costs and recovery time.
Slow detection increases ransomware risk
Among organizations that experienced an email breach, 71% were also hit by ransomware in the same year. The study found a link between slower detection and ransomware risk.
More than half of ransomware victims said it took between two hours and a full working day to detect a breach, and most needed another two to eight hours to contain it. By contrast, 58% of breach victims who avoided ransomware detected the breach within an hour. Even short delays give attackers time to escalate an incident.
Phishing often provides the initial access point for ransomware delivery. Stolen credentials or compromised endpoints let attackers plant malware, move through networks, or encrypt files before defenders can respond. Once a breach begins, time becomes critical.
Human behavior extends exposure
The findings show that organizations face three main barriers to response: the complexity of attacks, human behavior, and tool limitations.
Nearly half of respondents said advanced evasion techniques make email threats harder to detect. Attackers craft messages that look and sound authentic, often mimicking internal or vendor communications, which makes them difficult to distinguish from legitimate emails.
46% of security leaders said employees assume existing tools will protect them no matter what. A third said employees fail to report suspicious messages. These habits let threats linger in inboxes and delay containment.
Many organizations also lack automated incident response tools that can identify and remove malicious emails once they are delivered. 44% said manual processes slow containment, and 40% cited a shortage of skilled security staff, a gap that was larger among companies that also faced ransomware.
“The ability to detect and neutralize email incidents is often hampered by increasingly complex and evasive attacks, internal skills shortages, a lack of automation, and more,” said Neal Bradbury, CPO at Barracuda.
