If you've ever wondered just how lucrative a phishing campaign against your bank can really be, then consider this: Phishers actually land a tiny percentage of victims, but the end result is big bucks -- to the tune of $2.4 million to $9.4 million a year, according to a new study that measured real phishing attacks on banks.

Trusteer, which gathers phishing intelligence via its Rapport browser security plug-in, found only 0.47 percent of a bank's customers fall prey to phishing attacks each year, but the bad guys typically make about $2,000 on each customer's account they compromise. The company collected data during a three-month period from 10 large banks in the U.S. and Europe, and then for the report (PDF) normalized the data per 1 million users.

Each phishing attack compromised about 0.000564 percent of online banking customers, and 45 percent of them who were redirected to a phishing Web page gave up their online credentials.

"I was a bit surprised by the volume of phishing that still gets through to the users and gets clicked on and acted upon," says Amit Klein, CTO at Trusteer. "What surprised me even more was that almost half of users that had a phishing site rendered in their browser decided to interact with the site and share their credentials. That's something remarkable in itself."

That demonstrates how attempts to educate users about phishing haven't succeeded, he says.

The report found that each bank was targeted on average by 16 phishing Websites a week, which comes out to 832 phishing attacks per year per brand. When compared to the Anti-Phishing Working Group estimates that the average number of phishing URLs per brand in June was 190, Trusteer concluded that only one of 2.7 phishing URLs reaches its intended target.

An average of 12.5 out of 1 million customers per bank visited each phishing Website. These are customers who may or may not have been targeted by the phishing attack, according to the report.

"This ratio translates to just 0.00125%, a relatively small number. However, taking into account the large number of phishing attacks that occur over the course of 12 months, 1.04% (12.5*832 = 10,400) of a bank's customers visit a phishing website each year," the report says. So for every one million bank customers, 4,700 online banking credentials are lost to the bad guys per year -- .47 percent of a bank's customers.

Phishing researcher Joshua Perrymon says Trusteer's data isn't too surprising because it focuses on consumers. "I would say that the 0.47 percent rate of people who are targeted probably click on the link. But again, they are talking about consumers in this report, and not employees of a company, so that is harder to calculate as you have no control over consumers, and it's hard to contact each one to ask if they got 'phished' because they don't know," says Perrymon, who is CEO at PacketFocus. "In this scenario, attackers are sending spam-style phishing emails to a large number of possible emails to directly target a single brand. So the chance of hitting a user that actually uses the bank is small to begin with, unless they got a list from an insider."

To get better numbers on phishing attack successes, Perrymon says, you would need to control the testing. "If they would have been given the list of consumer email addresses, they could better determine how effective phishing attacks due to technical controls and user security awareness," he says.

While security researchers across the industry have been pointing to targeted phishing attacks as more effective and lucrative than the wide net of a general phishing campaign, Trusteer's Klein says Trusteer's data appears to indicate that "carpet-bombing still appears to work" in the end.

As for whether phishing is on the rise or decline, Klein says his company's report didn't address that. "The research was not conducted over a long enough period of time to relate directly to the question of whether phishing is on the decline," he says. "We were looking at absolute figures...I think it clearly shows the overall phenomenon of phishing is not declining."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.