How many people fall victim to phishing attacks?

How many people fall victim to phishing attacks?

Summary: According to a recently released report, based on a sample of 3 million users collected over a period of 3 months, approximately 45% of the time, users submitted their login information to the phishing site they visited.

TOPICS: Security

According to a recently released report, based on a sample of 3 million users collected over a period of 3 months, approximately 45% of the time, users submitted their login information to the phishing site they visited.

The study, exclusively monitored users who successfully reached a live phishing site that was not blocked by their browser's built-in anti-phishing protection or filtered as fraudulent one (Phishing experiment sneaks through all anti-spam filters), and found out that on average, 12.5 out of one million customers sampled for a particular bank, visited the phishing site.

Here are some of the key findings from the report:

  • Each phishing attack compromises a very small number of customers (0.000564%), but due the large number of phishing attacks, the aggregated number is significant
  • 45% of bank customers who are redirected to a phishing site divulge their personal credentials
  • 0.47% of a bank’s customers fall victim to Phishing attacks each year, which translates to between $2.4M-$9.4M in annual fraud losses (per one million online banking clients)
  • Each financial institution was targeted, on average, by 16 phishing websites per week
  • This translates to 832 phishing attacks per year per brand

The logic applied in the report is similar to the logic I once emphasized on in a previous post while disagreeing with claims made in another report on how unprofitable phishing, and underground economy are in general due to thousands of cybercriminals stealing each other's market share of malicious activity.

It's simple math and a realistic "view from the trenches" perspective. For instance, if the price for launching a phishing campaign (Spamming vendor launches managed spamming service) consisting of 50 million emails is $500, if only a single user falls victim and loses $501, the phisher breaks-even and earns profit.

Trusteer's report makes another interesting observation, and it's the fact that not only were the phishing sites live, but also, apparently managed to bypass the anti-spam/phishing protection -- if any -- on the potential victim's host.

With the average time for a phishing site to remain online varying based on multiple factors, what the industry and the security community in general can do to better undermine this effectiveness of in-the-wild phishing attacks, is by sharing data, ultimately protecting more people, a practice which according to research reports, can save up to $300M annually.

The beneficial effects of data sharing were most recently confirmed in a Virus Bulletin comparative review of anti-spam solutions, in which they concluded that the "combined effort outperformed individual products":

"In the test, almost 200,000 emails were sent to 14 different anti-spam solutions which were required to classify them as either ham or spam. The test revealed that no legitimate mail was blocked by more than four products. After the test, VB's anti-spam team decided to look into this further and considered a hypothetical filter that marked an email as spam if at least five of the 14 products did so.

Unlike any of the individual products, the hypothetical filter generated no false positives at all, and combined this 0% false positive rate with an impressive overall spam catch rate of 99.89% (higher than any of the individual products VB has tested). "

Despite the long term potential of phishing, and the inevitable localization successfully reaching the native speakers of campaign's message, crimeware also known as banker malware such as Zeus, Limbo, Adrenalin or URLZone, remain the financial industry's biggest enemies, bigger than any economic forecast, no matter how cloudy it is.

Be pragmatic and reclaim control of your bank account. Bank on a LiveCD, ask your bank about the daily withdrawal limit conditions and set them according to your needs, ask them about the availability of SMS alert service allowing you to receive real-time notifications for incoming and outgoing transactions as an early-warning system for bank account compromise.

Images courtesy of PhishTank's Statistics for November, 2009 and Virus Bulletin.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • A low percentage shows that some people are just too dumb to use a computer

    Falling in the phishing trap, somehow reminds me of the following famous quotes:

    "There's a sucker born every minute" - P.T. Barnum

    "No one ever went broke underestimating the intelligence of the American public." - Henry Mencken

    I find that last quote a bit offensive, because you find idiots not only in the USA, but in every country of the world.
    • I find the first one wrong.

      That'd make only ~.066% suckers.

      Way more people are falling for this crap than
      • You are right

        I should not have posted my comment in the middle of the night after my third glass of Jack Daniels.
      • Wow...

        You guys are so smart. Quoting quotes that other
        people quoted.

        • Wow...

          You're so smart, failing to notice that I didn't
          quote anyone.
    • And, to start a flame war.....

      IF Google can largely solve that problem with ChromeOS, they will sell boatloads.

      All MS fanboys (and Apple) may fire now.
      • Lies!

        It will use the Linux kernel, which is licensed
        under the GPL.

        They could technically sell it, but it would be
        perfectly legal for anyone to redistribute it to
        as many people as they wanted. You might say this
        happens with software under proprietary licenses
        too (e.g. Windows) but it isn't legal for those.
        It would be for this.
        • Lies?

          Well, the discussion has generally been about ChromeOS on netbooks and semi-appliance type devices. Unless someone just fell off the turnip truck, I think they know that Google is not really trying to sell ChromeOS, but making it available for developers and HW brands. When I said "sell boatloads" or whatever I said, I meant that the HW with ChromeOS will sell boatloads IF Google can substantially solve the fishing problem.

          The text of your post was articulate and constructive, although misdirected. The title was however a bit harsh, don't you think?
          • My bad.

            Sometimes I forget most people buy computers with
            the OS pre-installed. So I assumed you meant
            selling it separately. Sorry.
          • No problem.

            We all misread/misunderstand posts from time to time OR we do not make our posts sufficiently clear, assuming other people understand our mindset/perspective. In this case I am probably guilty of the latter.
      • How though??

        How can you prevent people from clicking through malicious links? Spam filters won't catch everything, and Google can't control ignorance or user fallibility.
        The one and only, Cylon Centurion
        • Don't know the technical end too well, but

          Google already warns you if they deem a site to be malicious. They can probably do more. If you allow them, they can block those sites I presume. They can probably also intercept personal data entered to a bogus site, if you allow them. If everything goes through Google, they can pretty much do anything, no?.

          The point I was trying to make was that there are needs out there crying to be addressed/met/solved, as highlighted by this blog. MS has done a terrible job, given the power they have had for literally two decades, at really trying to solve pressing user problems. IF ChromeOS can meet the needs and address the concerns of the average low level user, they will make a considerable impact on the OS market. I cannot imagine Google trying to be another also ran OS attempt. The have a grand vision for both Android and ChromeOS. There is room for a relative home run here. Whether they will make it or not, I have no idea.
          • Microsoft

            Is also in the position that prohibits them from doing much of anything anymore.

            ChromeOS is still sounding more like a big brother device to me. Google this, Google that... Is letting Google have this much power over our information such a good idea?

            Eitherway, I do like the idea of a search engine or browser addon that can keep tabs on reported malicious websites. It gives me a good idea of what I am about to click on. However, if Joe User [i]really[/i] wants to click through he will do so anyway. A decision he will most likely be regretting 5 hours later when you are fixing his machine. Haha.
            The one and only, Cylon Centurion
          • That makes sense.

            They both have search engines.
            They both have instant messengers.
            They both have browsers.
            They both have local search programs.
            They both have operating systems.

            But Google's are all open source and free, so
            they must be big brother?

            Ya, that makes sense.
          • You don't understand

            I was talking about Chrome OS. The operating system that forces your files to be synced with Google's servers. The operating system that forces you to give up ownership of your data. The operating system that kills privacy... The operating system that forces you to trust Google not to loose your files or let them be stolen (Which they will. There is no doubt data breeches will occur).

            But hey! Since they're open source, I trust them with my life! Open source can't do any evil!
            The one and only, Cylon Centurion
          • @NStalnecker: I don't understand where your claims come from.

            I'd be interested to read more, though. Please
            post your source. Thanks.
          • Here:


            The one and only, Cylon Centurion
          • @NStalnecker: Excellent reads, thank you.

            Neither of them were related to your claims,
  • RE: How many people fall victim to phishing attacks?

    That is amazing that people do that but then how many refuse to wear seatbelts even in states where it is a ticketable offense.
    How many keep right on smoking then cry when they get sick.
  • One word: GREED

    Every single phishing scam is based on greed.

    Greed by the scammer ....
    Greed by the idiot who falls for it ....

    Excuse me sir, you don't know me but I will give you $$$ millions if you just send me a check for $$$ thousands or let me use your bank account to hide money.

    Excuse me sir, you can save lots of money by buying Viagra from us. We are not a pharmacy and our pills are pink. But we are legit and all you have to do is give us your bank account and password. We will keep your Willey happy, guaranteed.

    Hello sir, your bank was hit by scammers and there is a danger your money may be stolen. To be sure, please visit our non-bank related website and enter your account number, account name and account password to verify that you are you. In exchange we will deposit $1000 in your account to compensate your time and trouble. We may ask you for additional personal information ... Trust us, we are legit.

    Hey you!! I have a product that will make you $$$ millions. You are selected for being an idiot ... I mean a nice person. All we need is your bank account and password. In a couple of days, you will receive a large sum of deposits for investing in our scam ... I mean product.

    Want to protect yourself from a foreclosure?? Just transfer the title for your home to our company in the Netherlands. All you have to do is transfer the title, we will do the rest. No need to contact your lender, since the loan will be automatically transferred with the title. You can even stay in the house without having to pay rent.

    Hi, I have $50,000 watch that I would like to sell you for $500. Just wire the money via Western Union. We will use the information in the transfer to mail you the watch.

    Microsoft is giving away millions to people who forward email. If you don't like Microsoft, we can give the money to a little girl dying out of stinky tush syndrome in Brazil. Just click on this link and give us your bank information where we can make the payments, then forward this email to all your stupid friends and idiotic family members.