- slide 1 of 3
Phishing is probably going to be the greatest threat to the average Internet user in the near future. While just about everyone is aware of viruses and malware, at least on a basic level, a number of people don't realize the threat that phishing poses.
Phishing refers to a specific type of online scam. The scammer poses as a trusted entity, like a bank, and sends out emails or sets up fake websites requesting account information. The usual process involves a warning that your account will be shut down without action, although some recent paypal phishing scams involved sending out fake bills to try and make the confused user examine the bill through a fake link the scammer provided. Most now go the extra step and provide what appears to be a real link to the main site, but is actually a link to their spoof site. Once you're on this fake version, they'll try to get you to login to your account. Their keylogger will capture the information and they'll be ready to put it to use for a quick profit.
If they manage to get passwords for Paypal, eBay or your bank, then they can do fairly conventional theft or fraud. A few can go the extra step, and use phishing to get an email or facebook login. With this in hand they can slowly figure out your security programs and take over your online identity through password recovery programs.
Obviously the potential for damage is quite real. The FBI have estimated annual losses of $1 billion due to phishing alone, while Consumer Reports projected over $2 billion lost to phishing scams. There's generally a divide over the non-monetary costs, since it's hard to account for lost time, damaged credit and stress.
Hopefully it will be helpful to review the most recent reports to see the apparent patterns of banking.
- slide 2 of 3
The Usual Targets
The targets of phishing are not necessarily surprising. The RSA provides a monthly report on phishing attacks against individuals and companies.
For a quick summary, phishing attacks trend around 15000-18000 for worldwide statistics. Since September 2010, there was a slight decrease although it appears to be noise in the long run. A major change over the past year (since March 2010) is the shift in banks being used. Targets shifted from being primarily regional banks to nationwide banks. About 65% of phishing attacks go after nationwide banks, 30% target regional banks and only about 5% go after credit unions. There has been some fluctuation in these numbers, naturally. Each one tends to stay within roughly 5-10% of the base number, excepted for the noted shift toward national banks.
It should also be worth noting that phishing attacks are fairly spread out in the developed world. The United States is the biggest target with 37% of attacks, the United Kingdom follows with 27%, then South Africa with 15%, China with 7% and Italy with 3%.
If you'd like to see the reports and figures for yourself, or view a more recent report for yourself, you can view the .pdf at http://www.rsa.com/node.aspx?id=1331
- slide 3 of 3
One very important phishing statistic is the very low success rate. This is vital to understanding the way that phishing works.
Phishing has an estimated success rate of 0.000564%. 0.47% of any banks customers will ultimately fall for at least one attack annually. For every one million customers that a bank has, just 12 people will go to a specific attack's spoof website and of those 55% will realize the scam and back out at the last minute. If you wish to read the rest of the report, consult the .pdf file from Trusteer.
Phishing works because of the extremely high number of phishing attacks that occur. Hundreds of attacks occur each year and each one can target millions of people. Phishing is the danger it is because of the mind numbingly high number of emails and attacks that occur each year. If you want to stay safe, you need to be ready to handle the multitude of phishing attacks that will make their way to you and your relatives' email addresses.
- General Accounting Office Report on Cybercrime
- Source: RSA Anti-Fraud Command Center, RSA Online Fraud Report, November, 2010