Despite the longstanding efforts of banks and the IT security community to warn end users, specifically people using online banking applications, to beware of phishing schemes, many people who open the e-mails and visiting the phony sites still end up handing over their credentials, researchers claim.
In a new paper that seeks to scope the breadth and scale of the phishing industry, experts with e-banking security software specialist Trusteer contend that while only a small percentage of all online bankers somehow end up at phishing sites (just over 1 percent), roughly half of those people end up sharing their login and password information with the scammers behind the attacks.
That may seem like a negligible number of affected users, but considering that online banking services have millions of customers around the globe, the total amount of involved losses still adds up.
The researchers found that on average, only 12.5 out of one million customers from a given bank fall for each new phishing campaign. However, Trusteer estimates that even this seemingly low phishing success rate currently costs banks as much as $9.4 million per year per million users.
The company based its findings on data gathered over a three month period via a browser plug-in distributed to some 3 million e-banking users who are customers of 10 sizeable U.S. and European banks.
In general, most phishing runs are relatively small, hitting a small fraction (0.0005 percent) of all online banking users, the report concludes. Despite that, based on the large volume of different campaigns, most e-banking customers still receive phishing schemes of some kind on a regular basis.
Many common phishing scams are caught and weeded out by security and spam filters, but, if you look at the number of messages that are delivered and how many end users still fall for those, the losses add up pretty quickly, Trusteer said.
One of the primary factors driving success rates for users who end up visiting phishing sites is that there are a now very few visual clues that may tip people off that they are not at the bank's legitimate site. Phishing messages also continue to become more slick and believable.
"While the fact that nearly half of the victims were tricked into giving up their online banking credentials was surprising, the aggregate value of the financial losses created by only half of one percent of a bank's customers is staggering," said said Amit Klein, CTO of Trusteer.
It's not surprising to hear such results coming from a company who sells anti-phishing services to financial institutions, however, it is interesting to have some numbers to tie to the success rates of attacks.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.