The business of “phishing” has a much higher success rate than previously estimated, according to a controversial new US study.
A single phishing attack can realise a success rate of up to 14% in only 24 hours, say Marcus Jakobsson and Jacob Ratkiewicz in their recently published paper: “Designing Ethical Phishing Experiments: A study of (ROT13) rOnl query features”.
Previous studies into the effectiveness of phishing are based on surveys, such as a 2004 Gartner Group survey, and estimate that about 5% of adult American internet users fall victim to phishers over a 12-month period, costing US consumers about US$2.4 billion per year. That 5% may have received numerous attacks over the course of the year, leading most IT security specialists to assume that phishing has a very low rate of success per attack.
Jakobsson and Ratkiewicz assert that these surveys “may severely underestimate the real costs and number of victims, both due to the stigma associated with being tricked (causing people to under-report such events), and due to the fact that many victims may not be aware yet of the fact that they were successfully targeted.”
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
The Indiana study used real user populations and had to be approved by an ethics committee because participants were not fully aware of all aspects of the research.
Jakobsson and Ratkiewicz used a fake phishing exercise to count how many experienced eBay users would respond to a spoof email and follow links to a fake site. The study found that 11% (plus or minus 3%) would respond.
The authors also pour cold water on a 2005 study by Mailfrontier that found that people correctly identified phishing emails 83% of the time. The research participants knew they were being tested on their ability to identify a phishing email and hence were more suspicious than they normally would be, said Jakobsson and Ratkiewicz.
Little data is available in the context of Australia and New Zealand into the incidence of phishing and its relevance to the banking industry. Banks mostly contend that the losses arising from phishing attacks (often emails asking customers to verify details via a replica of a bank website) are low, though banks acknowledge that customer perception of the problem is significant.