The cost of phishing attacks has quadrupled over the past six years, causing large US companies to lose an average of $14.8 million each year, according to a new report from Proofpoint and the Ponemon Institute.

Researchers surveyed nearly 600 IT and IT security practitioners to calculate the new average cost, an increase from $3.8 million in 2015. Ransomware and business email compromise (BEC) were the most costly phishing-related attacks, they report, with BEC costing large organizations nearly $6 million annually. Of that, $1.17 million goes toward illicit payments made to BEC attackers. Ransomware costs large organizations $5.66 million each year; of that, $790,000 accounts for ransoms paid to attackers.

"When people learn that an organization paid millions to resolve a ransomware issue, they assume that fixing it cost the company just the ransom. What we found is that ransoms alone account for less than 20 percent of the cost of a ransomware attack," said Larry Ponemon, chairman and founder of Ponemon Institute, in a statement. 

"Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers," he said. 

Researchers also found loss of productivity is one of phishing's costliest outcomes. In an average-sized U.S. corporation of 9,567 people, the study found there are 63,343 wasted hours every year due to phishing scams.

The full study can be found here.