How many people fall victim to phishing attacks?

According to a recently released report, based on a sample of 3 million users collected over a period of 3 months, approximately 45% of the time, users submitted their login information to the phishing site they visited.

The study, exclusively monitored users who successfully reached a live phishing site that was not blocked by their browser's built-in anti-phishing protection or filtered as fraudulent one (Phishing experiment sneaks through all anti-spam filters), and found out that on average, 12.5 out of one million customers sampled for a particular bank, visited the phishing site.

Here are some of the key findings from the report:

• Each phishing attack compromises a very small number of customers (0.000564%), but due the large number of phishing attacks, the aggregated number is significant
• 45% of bank customers who are redirected to a phishing site divulge their personal credentials
• 0.47% of a bank’s customers fall victim to Phishing attacks each year, which translates to between $2.4M-$9.4M in annual fraud losses (per one million online banking clients)
• Each financial institution was targeted, on average, by 16 phishing websites per week
• This translates to 832 phishing attacks per year per brand

The logic applied in the report is similar to the logic I once emphasized on in a previous post while disagreeing with claims made in another report on how unprofitable phishing, and underground economy are in general due to thousands of cybercriminals stealing each other's market share of malicious activity.

It's simple math and a realistic "view from the trenches" perspective. For instance, if the price for launching a phishing campaign (Spamming vendor launches managed spamming service) consisting of 50 million emails is $500, if only a single user falls victim and loses $501, the phisher breaks-even and earns profit.

• Consider going through related posts: Phishers introduce 'Chat-in-the-Middle' fraud tactic; New study details the dynamics of successful phishing; Research: 76% of phishing sites hosted on compromised servers; Microsoft study debunks phishing profitability; Microsoft study debunks profitability of the underground economy; Phishers increasingly scamming other phishers; DIY phishing kits introducing new features; Phishers apply quality assurance, start validating credit card numbers; Lack of phishing attacks data sharing puts $300M at stake annually

Trusteer's report makes another interesting observation, and it's the fact that not only were the phishing sites live, but also, apparently managed to bypass the anti-spam/phishing protection -- if any -- on the potential victim's host.

With the average time for a phishing site to remain online varying based on multiple factors, what the industry and the security community in general can do to better undermine this effectiveness of in-the-wild phishing attacks, is by sharing data, ultimately protecting more people, a practice which according to research reports, can save up to $300M annually.

The beneficial effects of data sharing were most recently confirmed in a Virus Bulletin comparative review of anti-spam solutions, in which they concluded that the "combined effort outperformed individual products":

"In the test, almost 200,000 emails were sent to 14 different anti-spam solutions which were required to classify them as either ham or spam. The test revealed that no legitimate mail was blocked by more than four products. After the test, VB's anti-spam team decided to look into this further and considered a hypothetical filter that marked an email as spam if at least five of the 14 products did so.

Unlike any of the individual products, the hypothetical filter generated no false positives at all, and combined this 0% false positive rate with an impressive overall spam catch rate of 99.89% (higher than any of the individual products VB has tested). "

Despite the long term potential of phishing, and the inevitable localization successfully reaching the native speakers of campaign's message, crimeware also known as banker malware such as Zeus, Limbo, Adrenalin or URLZone, remain the financial industry's biggest enemies, bigger than any economic forecast, no matter how cloudy it is.

Be pragmatic and reclaim control of your bank account. Bank on a LiveCD, ask your bank about the daily withdrawal limit conditions and set them according to your needs, ask them about the availability of SMS alert service allowing you to receive real-time notifications for incoming and outgoing transactions as an early-warning system for bank account compromise.

Images courtesy of PhishTank's Statistics for November, 2009 and Virus Bulletin.