Phishing losses add up
It's a numbers game – although the number of banking customers who fall victim to phishing attacks is small, it all adds up to a lucrative business for cyber criminals, according to a study by security services provider Trusteer. According to the Trusteer report, in any one phishing attack on a US banking institute, around 13 out of every million customers visit a phishing website, as a result of actions such as clicking on a link in an email, and of these almost half enter their login details on the phishing website.
With more than 800 phishing attack waves against each banking institute per year, Trusteer calculates that criminals are obtaining around 4,700 sets of login details per million customers. Assuming the loss per account to be $2,000, this would mean that phishers were stealing a total of $9.4 million through fraudulent bank transfers. Even assuming a loss per account of just $500, this still gives a figure of $2.35 million per banking institute per million customers. And that's just phishing related losses – it does not include losses caused by password-stealing trojans.
The study doesn't comment on whether this makes it a worthwhile business for individual phishing groups. Earlier this year, Microsoft published a study which found that phishing is simply not worth the candle – with too many phishers pursuing too few customers. If we assume that the 800 phishing waves are launched out by 800 different criminals, the average booty would add up to just $12,000 (six customers losing $2,000 each).
The really surprising finding from the Trusteer study is that half of all customers who visit a phishing website enter their details. A study recently published by Microsoft on security advice hints at one possible reason for this – since US bank customers are not running any personal risk, they have no particular need to be careful. US banks usually cover phishing-related losses automatically – possibly because most institutions fail to use any specific authentication mechanism such as Transaction Authentication Numbers (TANs).
- Trusteer Reports that Half of Online Banking Users Who Click on Phishing E-mails Lose their Login Credentials, Trusteer press release.