WOW: Surprising Stats on Phishing

Category: Security

Researchers at Google and UCSD have released a study showing that an astonishing 14% of all phishing attempts are successful. They also reveal how the bad guys gain access to victims’ accounts and what they do once they get in. Read on, and please forward this article to a friend...

Why Phishing Works

In their paper "Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild" a team of eight researchers from Google and the University of California San Diego make some claims about phishing (attempts to trick people into providing their login credentials) that I found astonishing.

Are you ready for this? Some phishing websites succeed at tricking users 45% of the time. Obviously these are the most sophisticated and realistic ones, but even the most poorly executed fake sites work on 3% of those who were tricked into visiting.

The research paper focused on what it calls manual hijacking... in which “professional attackers spend considerable time exploiting a single victim’s account, often causing financial losses.” Such targeted, labor-intensive attacks are rare, the Goog assures us – only “9 incidents per million users per day.”
Phishing Stats

But according to other researchers there are 2,405,518,376 Internet users, and 70 per cent of them use the Internet every day. I’ll do the math for you: at least 15,145 people get hijacked every day! Clearly, more education is needed to make Internet users aware of this menace.

Most manual hijackings involve phishing, says Google. Bad guys send millions and millions of messages designed to trick viewers into taking some action that gives the bad guys access to their accounts. The medium of the message is most often email but it can also be a text message, Tweet, or Facebook notification.

We Won't Get Fooled Again. Maybe.

Most "phishing lines" are tied to websites, where the actual invasion of an account originates. The site may continue the message’s deception, seducing the victim into giving up his login credentials on a key account, or teasing out of him enough personal information to enable identity fraud. Alternatively, a rogue site may occupy the victim with a game, information, or a phony “free virus checkup test” while in the background a malware app is delivered to his device and triggered by a click that ostensibly does something else.

Use 2-step verification wherever it is offered by your account issuers. Google, for example, will send a one-time passcode to your phone via text message; you need to enter it as well as your permanent password to get into your Google account. Without the passcode, your login and password are useless to phishers. See my article SECURITY TIP: Two Factor Authentication to learn more.

Google found that a majority of the hijackers operate in China, Ivory Coast, Malaysia, Nigeria, and South Africa. They also analyzed a number of phishing exploit sources to determine how the bad guys gain access to victims’ accounts and what the bad guys do once they are “in.” The study paints a chilling picture of highly efficient, devastating rapacity:

The best of those rogue websites work 45% of the time, tricking visitors into cooperating in their own destruction. Even the most obviously fake sites (ones that had only a simple form prompting for a username and password) worked 3% of the time. On average, 14% of visits resulted in the visitor entering his own personal information on the site.

About 20% of victims had their accounts raided within 30 minutes of giving a rogue site the keys. Once hackers get into an account they spend about 20 minutes, on average, rooting around for more sensitive info and blasting out more phishing messages to a victim’s contacts, if they’re available. New targets who receive phishing messages from compromised accounts are 36 times more likely to fall victim themselves because they trust their contacts.

Phishers learn and adapt very rapidly. When Google started asking “secret questions” like “what was the name of the street you grew up on?” phishers immediately began looking for the answers, and finding them.

What Should You Do?

The moral of this study is “constant vigilance.” Phishing is rapidly replacing self-replicating viruses as the dominant threat to your security online. Phishing depends on your carelessness; keep your mental shields up as well as your antimalware software shields.

If you suspect you may have given your personal info to the wrong people, act immediately even if the incident happened days ago. Change your password; if you can’t, you probably have been hijacked. If the phish involved a bank account, credit card, or other specific account, get hold of the account issuer immediately and do what can be done to close the barn door or put out the fire.

Using 2-step verification, as I mentioned in the sidebar above, will prevent phishers from logging into your account, even if they have your username and password.

And finally, I think it's imperative that we help our family and friends maintain awareness of how phishing works, and how to avoid falling into this trap. Forwarding this article, or sharing the link on Facebook would be a good start.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 20 Nov 2014

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 19 November 2014

The Top Twenty
Next Article:
A Trio of Apple Security Flaws

Most recent comments on "WOW: Surprising Stats on Phishing"

Posted by:

20 Nov 2014

hey bob...thank you for the article on virus protection...i switched to avast from avg and i see a distinct difference...i too was a victim of the automatic re-up and the price went from 39 a yr to 54...i give avg credit,they refunded my money in only 3 days

Posted by:

20 Nov 2014

An excellent article Bob! As a long-time computer troubleshooter, I've been advising customers, friends, neighbors and relatives on several of these points. You've also got some great additions to what I've been recommending. Some people take action on them, but unfortunately many don't. I'll send them a link to this page, hoping more will act on your warnings, than mine.

Posted by:

Tom English
20 Nov 2014

If you want to slow it down, we need to start fining the banks and brokerage houses that encourage phishing. It should be illegal for any financial institution to send out emails with links in them. To make matters worse, half the time you can't access the article or offer if you open your browser and connect to the saved site; the advertised feature is ONLY available if you click on the email link and sign in to the site IT takes you to,

Posted by:

20 Nov 2014

Use False answers to Security questions to stymie their success.
i.e. "Street: Ans: "123 byteme"..
Mothers Maiden Name .."Papa Johns"....
Googles will find facts and fail the question/answer.

Posted by:

20 Nov 2014

>>>> …according to other researchers there are 2,405,518,376 Internet users…

Whoever claims to know the number of Internet users with that fine resolution is anything but a researcher.

I could accept an ESTIMATE of 2.40 milliard users or, better yet, a more careful estimate of 2.4 milliard users.

While I was typing this comment, numerous users connected to the Internet for the first time and numerous users perished.

>>>> “9 incidents per million users per day.”

Bursztein et al actually referred only to users who lost access to their Google account due to successful phishing. Fortunately, not everyone uses a Google account..!

>>>> ….more education is needed to make Internet users aware of this menace.


Users should also be educated about the menace of Google, Facebook, etc. who brutally intrude on their privacy by collecting their personal data.

Posted by:

bob price
20 Nov 2014

I've read two tips on passwords. Add symbols in the middle. So if my pw is bobprice, it becomes bob###price.

Second, use other words for secret question,
"Who was your childhood best friend?"
"Lady Gaga"

Posted by:

ursula adamson
20 Nov 2014

Speaking of which, received one of these phoney emails from a false Wells Fargo, telling me that a number of people had been trying to enter my account and to protect me, they would have to block my account if I didn't reconfirm my access information. I know that Wells Fargo would never ask for this kind of info via email. When I moused over the link I was to send the data, this is what came up: Thanks to my Kaspersky Internet Security it was removed from my laptop. Kaspersky is number one!

Posted by:

20 Nov 2014

I thought I was infallible at spotting phishing spams; it was moreover a satisfying sport to turn them in to SpamCop by the dozens per week. Well, the impossible finally happened—I fell for one, hard. This particular phishing spam was masquerading as a personal e-mail storage overflow/system migration notice from our IT group. I was not paying full attention, and I was also vaguely aware that I was in fact getting close to my e-mail storage limit. Then, WHAM, the blinding white light a millisecond after hitting send, and that sinking feeling that something wasn't right. Sure enough, the following Web page URL was clearly NOT local. Fortunately, in panic mode it took only about 10 minutes to change the password everywhere previously used with that address. Apparently, according to Bob's article, the passwords were changed just in time. The moral is, train yourself to think more than once before revealing passwords, especially on a page you haven't actually seen before!

Posted by:

20 Nov 2014

"Phishers learn and adapt very rapidly. When Google started asking “secret questions” like “what was the name of the street you grew up on?” phishers immediately began looking for the answers, and finding them."

Never stop laughing on people... Why do they spread over all the Internet answers to their secret questions??? Should they refresh the meaning of the word "secret"? Of course, you can not take back whatever you've already talked in public internet resources, but who force you to use this info again and again? Just use something that you never mentioned. Yet.

Are humans really sapiens? The longer I live, the more I doubt about that...

Posted by:

bob rice
20 Nov 2014

I am very surprised and disappointed at the huge number of banks and financial institutions who do not offer 2-step-verify.

Posted by:

Lloyd Collins
20 Nov 2014

I never get tricked with e-mails (so far),I always go to the site through their real address, if I am not sure it is a real notice. And, I forward the evil e-mail to the real sites to investigate.

Now, the banner ads, I hope I don't weaken and click.

Posted by:

20 Nov 2014

I get many emails about 'Notice to Appear' or a variation which is supposed to be a notice for me to appear in court. Every email uses a different USA lawyer's email address, they've told me it is a bad email. It always contains a zipped virus which makes it through to me. I also get many IT Briefs emails, same thing, different addresses.
I go on many web sites and I see the 'jumping' 'Media Player' update, which is another bad link but I don't know how to delete that.

Posted by:

20 Nov 2014

You think we should use Google's 2-step verification with our phone number? I don't advise giving Google your phone number. I don't even have my real name or zip code for my Google and Yahoo accounts. I ran a small free ad for my business on Google Maps, and they shared my number with 100 or more other companies, who have been spamming my phone for years. See if the major companies give you a choice of various 2-step verifications.

Posted by:

Dave B
21 Nov 2014

You mention using 2 step verification. I agree that is desirable, but that is not determined by the user, but by the website designer of the site you are trying to log into. Only one of the "sensitive" sites that I use, a bank, uses 2 step verification. I wish the rest did.

Posted by:

Alan Riley
21 Nov 2014

Hello from England Bob. I fell for what I think was a very sophisticated Phishing exercise. My Road Tax was due for renewal. I normally did it at the Post Office but forgot so I needed to renew in a hurry before my disc exopired. You can renew online at the DVLA ( Driver and Vehicle Licensing Authority ) website, so I simply googled DVLA and went to the site at the top of the list offered. I filled in my details as requested, Car Registration, Address and card details, pressed enter and got an error message saying the page needed to begin again. It reloaded and I filled in my details again and successfully got to the end. A few days later I got a call from my bank asking if I could confirm if I had made certain payments. They went through a list, DVLA, petrol, shopping etc. and three purchases of jewellery, membership of an online dating site, and a hotel room in Las Vegas. Needless to say, the jewellery, dating and hotel were not me. The bank said straight away I had been to a fake DVLA site which had taken my details and then sent me to the proper site after the fake error message. The DVLA is a Government body, so these phishers had actually faked a British Government website, and somehow got it to number one on Google to sting people. How do we defend against that sort of ingenuity when we cannot even trust a Government website ? ( I imagine some are laughing at the thought of trusting anything to do with the Government, but you know what I mean )

Posted by:

22 Nov 2014

I monitor the spam folder for a business (on gmail) I've seen over 150 spams per day fill that sucker up. What is really silly is how many are listed as coming from separate senders, but have identical subject lines, right down to the mis-spellings (some purposeful in an attempt to get around the spam filters). I can get a dozen or more in a row. The subjects range from "enhancement" products to Open Enrollment for health insurance to floor coatings to luxury yachts (?!). It's always funny to see "Hey, (name of company), please you girlfriend tonights!" I know current law sees corporations as "individuals," but I doubt the said corporation is dating...

Day after day.

We even get dozens of spams in Chinese... go figure.

One other clue to a suspicious email that at least can be done on gmail is to hover over the name of the sender. A pop up will appear with some info about he sender like a photo (if it's a gmail account and they've provided one) or the like. Usually this info is missing so it's a good bet the sender is fake. This is good if you get a suspicious email that was supposedly sent by an individual as most folks I know will have at least *some* profile info that will get displayed.

Rule #1 should be "If in doubt, don't." (or "If in doubt, delete.")

And Rule #2 could be to always provide made-up info for those "security questions." I did a Google search on a friend and found far too much information that even they didn't know was out there.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- WOW: Surprising Stats on Phishing (Posted: 20 Nov 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved