Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/7/2009
12:49 PM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Bank Phishing: It Doesn't Take Much For Phishers To Take A Lot

Most people ignore -- and, one hopes, delete unopened -- those phishmails that pose as correspondence from legitimate banks. But even a fraction of a percentage of responses generates millions for the crooks.

Most people ignore -- and, one hopes, delete unopened -- those phishmails that pose as correspondence from legitimate banks. But even a fraction of a percentage of responses generates millions for the crooks.A new report from security firm Trusteer shows just how much money bank phishers can make from a very few pigeons.

How few?

According to Trusteer's 3-month research project involving 10 banks, only 0.47% of a bank's customers actually fall for an apparently bank-branded phishing scam.

That's enough. Enough, in fact, to generate bank phishing revenues in the millions. The average bank customer who clicks on a phish-link and gives up account information loses $2,000.

What's most frightening about the report is that despite the low overall percentage of customers who click on a phish-link, a high percentage of those customers do give up their log-in info: as high as 45%, according to Trusteer.

No wonder there are so many bank-phishing mails: low overall response is more than offset by a stunning payoff from those who do fall for the scam.

One can take some comfort in the low overall response figures, but the high percentage of those who do fall for phishing scams falling all the way is as discomfiting a statistic as I've seen lately.

The complete Trusteer Bank Phishing Attack Report is here.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.