http://askbobrankin.com/ WOW: Surprising Stats on Phishing Category: Security Researchers at Google and UCSD have released a study showing that an astonishing 14% of all phishing attempts are successful. They also reveal how the bad guys gain access to victims’ accounts and what they do once they get in. Read on, and please forward this article to a friend... Why Phishing Works In their paper "Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild" a team of eight researchers from Google and the University of California San Diego make some claims about phishing (attempts to trick people into providing their login credentials) that I found astonishing. Are you ready for this? Some phishing websites succeed at tricking users 45% of the time. Obviously these are the most sophisticated and realistic ones, but even the most poorly executed fake sites work on 3% of those who were tricked into visiting. The research paper focused on what it calls manual hijacking... in which “professional attackers spend considerable time exploiting a single victim’s account, often causing financial losses.” Such targeted, labor-intensive attacks are rare, the Goog assures us – only “9 incidents per million users per day.” But according to other researchers there are 2,405,518,376 Internet users, and 70 per cent of them use the Internet every day. I’ll do the math for you: at least 15,145 people get hijacked every day! Clearly, more education is needed to make Internet users aware of this menace. Most manual hijackings involve phishing, says Google. Bad guys send millions and millions of messages designed to trick viewers into taking some action that gives the bad guys access to their accounts. The medium of the message is most often email but it can also be a text message, Tweet, or Facebook notification. We Won't Get Fooled Again. Maybe. Most "phishing lines" are tied to websites, where the actual invasion of an account originates. The site may continue the message’s deception, seducing the victim into giving up his login credentials on a key account, or teasing out of him enough personal information to enable identity fraud. Alternatively, a rogue site may occupy the victim with a game, information, or a phony “free virus checkup test” while in the background a malware app is delivered to his device and triggered by a click that ostensibly does something else. Use 2-step verification wherever it is offered by your account issuers. Google, for example, will send a one-time passcode to your phone via text message; you need to enter it as well as your permanent password to get into your Google account. Without the passcode, your login and password are useless to phishers. Google found that a majority of the hijackers operate in China, Ivory Coast, Malaysia, Nigeria, and South Africa. They also analyzed a number of phishing exploit sources to determine how the bad guys gain access to victims’ accounts and what the bad guys do once they are “in.” The study paints a chilling picture of highly efficient, devastating rapacity: The best of those rogue websites work 45% of the time, tricking visitors into cooperating in their own destruction. Even the most obviously fake sites (ones that had only a simple form prompting for a username and password) worked 3% of the time. On average, 14% of visits resulted in the visitor entering his own personal information on the site. About 20% of victims had their accounts raided within 30 minutes of giving a rogue site the keys. Once hackers get into an account they spend about 20 minutes, on average, rooting around for more sensitive info and blasting out more phishing messages to a victim’s contacts, if they’re available. New targets who receive phishing messages from compromised accounts are 36 times more likely to fall victim themselves because they trust their contacts. Phishers learn and adapt very rapidly. When Google started asking “secret questions” like “what was the name of the street you grew up on?” phishers immediately began looking for the answers, and finding them. What Should You Do? The moral of this study is “constant vigilance.” Phishing is rapidly replacing self-replicating viruses as the dominant threat to your security online. Phishing depends on your carelessness; keep your mental shields up as well as your antimalware software shields. If you suspect you may have given your personal info to the wrong people, act immediately even if the incident happened days ago. Change your password; if you can’t, you probably have been hijacked. If the phish involved a bank account, credit card, or other specific account, get hold of the account issuer immediately and do what can be done to close the barn door or put out the fire. Using 2-step verification, as I mentioned in the sidebar above, will prevent phishers from logging into your account, even if they have your username and password. And finally, I think it's imperative that we help our family and friends maintain awareness of how phishing works, and how to avoid falling into this trap. Forwarding this article, or sharing the link on Facebook would be a good start.