Most Phishing Scams Fail But Enough Succeed

Ever wonder what percentage of people are clicking on those e-mails leading to fraudulent bank login pages? The answer is very little – more than enough for phishers to still make a killing.

New research from security firm (PDF) Trusteer shows that once users had been lured to a phishing site, some 45 percent entered their login information. These findings, taken during a three month analysis, are based on a sample of more than 3 million users of Trusteer’s Rapport browser security service that are customers of 10 large U.S. and European banks.

Each phishing attack compromises a very small number of customers (0.000564 percent), but due the large number of phishing attacks, the aggregated number is significant. Overall, 0.47 percent of the banks’ customers fall victim to phishing attacks each year, translating to between $2.4 million and $9.4 million in annual losses.

With that kind of money at stake, it is important both businesses and consumers learn to recognise phishing e-mails when they see them. In an enterprise environment, that process begins with training.

“Engage the user base when developing a training program (and) view training programs as marketing campaigns to sell security,” advised Rohyt Belani, CEO of Intrepidus. “Teach people through first hand experience (mock phishing exercises followed with instant training/feedback) rather than boring sessions and poster campaigns that couch do’s and don’ts.”

He also suggested rewarding users that consistently dodge phishing attacks, rather than simply penalising those that do not.

“People should have a basic level of suspicion associated with email and understand that just because the “from” address looks authentic, the email contains a personalised salutation and the content is in appropriate context that it is not necessarily where or who it claims to be from,” he told eWEEK. “This will instill a though process of evaluation before acting on email.”

However phishing scams are getting more difficult to detect all the time, particularly in cases of spear phishing, which are targeted attacks, noted Scott Crawford, an analyst with Enterprise Management Associates.

“Message filtration technologies help with this, but as far as awareness goes, users should consider just about any message suspect unless it contains detail that would only be known to the sender (and) recipient – and even then, a skillfully crafted attack can look very believable,” he said.