Though relatively few European and American internet banking users fall victim to phishing attacks, the potential financial losses faced by banks remain substantial. These costs could run to as much as $9.4 million annually per 1 million users if criminals abuse all compromised accounts.
This warning comes from US-based security specialist Trusteer, which has just completed a study based on a sample of more than 3 million customers from 10 large US and European banks using its Rapport browser security service.
Key findings of Trusteer’s study were:
• 1.04 percent of bank customers click on malicious links and are redirected to a phishing website;
• Each phishing attack compromises a very small number of customer accounts (0.000564 percent), but due to the large number of attacks, the aggregated number is significant; and
• 0.47 percent of a bank’s customers divulge their login details and other personal information on phishing websites. If abused, the losses associated with these hijacked credentials would range from between $2.4 million to $9.4 million annually per one million online banking clients.
Trusteer noted in its study that although there are a multitude of research findings and statistics on phishing attacks, information on how successful they are, how many users actually respond to them, and how many submit their login details or other personal information to criminal websites has been elusive. The reason, explained Trusteer, is that this information is extremely hard to collect.
According to Trusteer, it has overcome this problem by incorporating a plug-in with its Rapport product offering that provides the ability to monitor phishing attacks against the computers it protects. The plug-in can also prevent users from trying to submit login information to phishing websites.
Trusteer’s Rapport solution was this year’s winner of Frost & Sullivan’s Innovation of the Year Award. The product, highlighted the consultancy, is capable of defeating browser-based attacks such as phishing, pharming, man-in-the-browser, man-in-the-middle and session hijacking.