According to a recently released report, based on a sample of 3 million users collected over a period of 3 months, approximately 45% of the time, users submitted their login information to the phishing site they visited.
The study, exclusively monitored users who successfully reached a live phishing site that was not blocked by their browser's built-in anti-phishing protection or filtered as fraudulent one (Phishing experiment sneaks through all anti-spam filters), and found out that on average, 12.5 out of one million customers sampled for a particular bank, visited the phishing site.
Here are some of the key findings from the report:
Each phishing attack compromises a very small number of customers (0.000564%), but due the large number of phishing attacks, the aggregated number is significant
45% of bank customers who are redirected to a phishing site divulge their personal credentials
0.47% of a bank’s customers fall victim to Phishing attacks each year, which translates to between $2.4M-$9.4M in annual fraud losses (per one million online banking clients)
Each financial institution was targeted, on average, by 16 phishing websites per week
This translates to 832 phishing attacks per year per brand
It's simple math and a realistic "view from the trenches" perspective. For instance, if the price for launching a phishing campaign (Spamming vendor launches managed spamming service) consisting of 50 million emails is $500, if only a single user falls victim and loses $501, the phisher breaks-even and earns profit.
Trusteer's report makes another interesting observation, and it's the fact that not only were the phishing sites live, but also, apparently managed to bypass the anti-spam/phishing protection -- if any -- on the potential victim's host.
"In the test, almost 200,000 emails were sent to 14 different anti-spam solutions which were required to classify them as either ham or spam. The test revealed that no legitimate mail was blocked by more than four products. After the test, VB's anti-spam team decided to look into this further and considered a hypothetical filter that marked an email as spam if at least five of the 14 products did so.
Unlike any of the individual products, the hypothetical filter generated no false positives at all, and combined this 0% false positive rate with an impressive overall spam catch rate of 99.89% (higher than any of the individual products VB has tested). "
Despite the long term potential of phishing, and the inevitable localization successfully reaching the native speakers of campaign's message, crimeware also known as banker malware such as Zeus, Limbo, Adrenalin or URLZone, remain the financial industry's biggest enemies, bigger than any economic forecast, no matter how cloudy it is.
Be pragmatic and reclaim control of your bank account. Bank on a LiveCD, ask your bank about the daily withdrawal limit conditions and set them according to your needs, ask them about the availability of SMS alert service allowing you to receive real-time notifications for incoming and outgoing transactions as an early-warning system for bank account compromise.