In a recent post, Will New Domain Names Help Stop Phishing, a reader commented that he would like to see some statistics specific to phishing and small businesses.
Since we love our readers, here is a list of statistics that center around the dangers associated with phishing.
When the Magill Report interviewed Sam Masiello, the general manager for anti-phishing services for Return Path, he stated that:
“when a company gets phished, the costs are enormous.”
And why is that? Because customers are 42 percent less likely to do business with you if you are being targeted by a phishing attack.
What’s more, phishing costs brands and corporations more than 98 billion dollars a year according to a Cisco white paper.
Spear-Phishing vs Mass Phishing
If you aren’t aware of the differences, mass phishing is an attack where victims are randomly chosen. Spearphishing is a targeted attack against a high value asset.
In a mass phishing attack, it is estimated that 3 percent of all emails are opened. Spearphishing attacks yield a 70 percent open rate because people trust the messenger.
The value of the victims differ as well with a mass phishing victim being worth about 2000 dollars whereas the victim of a spearphishing attack could net the attacker around 70,000 dollars.
But spearphishing campaigns are more expensive to run; costing the attacker around 10,000 dollars as opposed to 2,000 dollars to manage a mass phishing campaign.
As for the number people who fall victim to a phishing scam; mass phishing generally produces about 8 victims for every 100,000 targeted users. Spearphishing attacks generally yield 2 victims for every 1,000 targeted users. Overall, the attacker can expect a 150,000 dollar profit from a spearphising attack as opposed to netting 14,000 dollars for a mass phishing campaing.
Phishing and Domains
In order to trick victims into falling for their scams, the attacker needs to either create a domain to use for their attacks or spoof an existing domain. Let’s take a look at these numbers…
In the second half of 2011, there were 83,083 unique phishing domains worldwide; 200 of them were considered top level domains according to the Global Phishing Survey. In the same time period, 520 existing domains (like financial institutions and social networking sites) were targeted for phishing attacks. The top 20 targets accounted for 78 percent of all attacks.
In the first half of 2011, PayPal was the number one targeted domain for phishing attacks with a recorded 34,209 attacks. In the second half of 2011, the number of PayPal attacks dropped to 7,169 attacks and Taobao.com, a Chinese site, took over the top spot with a recorded 18,508 attacks.
Of the domains used for phishing in the second half of 2011 25 percent were registered maliciously by phishers; 75 percent of the attacks came from domains that were compromised by cyber-criminals.
Finally, URL shortening was only used in 398 attacks in the second half of 2011, probably because users have come to lose trust in URLs that are hidden by shortening services.
Using existing companies as bait for phishing attacks seems to be on the rise again as shown by the fact that 400 brands have been used in phishing emails in the first quarter of 2012 alone.
The Volume of Phishing Emails
Of course you can’t talk about phishing statistics without looking at the sheer volume of emails send out by scammers that attempt to lure victims into divulging sensitive information, giving up their user credentials or downloading malware.
An article by Smart Money showed how one phishing attack that used the Virginia based payment processing company Nacha sent out 167 million forged emails in a single day. These emails contained the company logo, their contact information and even content taken directly from their web site.
According to Dr. Dobb’s, 500 million phishing emails appear in user inboxes every day.
With numbers like these, it is evident that phishing isn’t going anywhere. We can expect the number of incidents that are driven by spearphishing attacks to steadily increase as more money is made from these attacks.
To fight back organizations need to not only secure their email systems using anti-spam filtering technologies, but also to provide training for their staff that helps them better identify, and in turn avoid, phishing attempts.