Martin McKeay

Phishing statistics

By Martin McKeay
January 11, 2006 8:23 PM EST
I spent most of my afternoon at the monthly San Francisco Bay Area Information Systems Security Association meeting, listening to a Andrew from MailFrontier.  You may recognize MailFrontier if you've ever taken their Phishing Test.  In case you don't know, phishing is the act of trying to get personal information, usually credit card information, by posing as a legitimate company, using email.  When I took the test, I only scored an 8 out of 10, but it was because I was too paranoid about email.  Guess that's why I'm in security.

Two things really struck me about his presentation.  First of all, Andrew stated that you can go online and get all the tools you need to start your own phishing campaign for around $200.  That includes the software to create your mailing list, the software to send out  your email, and a list of legitimate email addresses to send your emails to.  He was a little cagey when one member of the audience asked him where these tools were to be found, but who can blame him.

Then came his statistics; blame any inaccuracies on me, I'm doing this from memory.

Suppose the spammer sends out 2,000,000 emails.
Of that, 5% go to legitimate email addresses, or 100,000.
Of that, 5% of the people receiving the phishing email respond, or 5,000.
Of that number, only 2% are foolish enough to actually submit their personal information or 100 real people.  MailFrontier's site quotes the FTC as saying the average phishing loss is about $1,200.  So, for an up front investment of $200, a phisher can make $120,000!

Even if those numbers are exaggerated by a factor of 10, no wonder there are so many people out there sending you phishing scams.  And there's only one real solution to the phishing problem:  education.  Take the time to learn what phishing is and how to avoid it.  And the Anti-Phishing Workgroup is a good place to start