The most successful phishing attacks manage to dupe their victims a full 45 percent of the time, according to a study released last week by Google.
On average, phishing’s success rate is about 14 percent, but even the most obvious scams still manage to lure 3 percent of the people targeted to a fake website and convince them to turn over personal information, the report found.
“Considering that an attacker can send out millions of messages, these success rates are nothing to sneeze at,” said Elie Bursztein, Google’s antiabuse research lead.
Google’s report, titled “Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild,” describes how professional attackers focus exhaustively on exploiting a single victim’s account, with the goal of causing financial losses.
Roughly 9 such incidents per million users occur per day, Bursztein said. To study the phenomenon, Google used 14 datasets collected between 2011 and 2014.
“The simple answer is, phishing works,” John Shier, a security advisor at Sophos, told the E-Commerce Times. “Otherwise, it wouldn’t be so popular with cybercriminals.”
A hijacked account is “very valuable to an attacker, and there are many ways to accomplish that,” he added. “Manual hijacking is just one way to do it.”
About 20 percent of the hijacked accounts identified in Google’s study were accessed within 30 minutes of the hacker’s acquisition of its login information. Once inside, hijackers spent more than 20 minutes there, often changing the password to lock out the true owner, searching for other account details, such as bank information and social media accounts, and scamming new victims.
People in the contact lists of hijacked accounts are 36 times more likely to be hijacked themselves, Google found.
Password Reset Gone Wild
“The account hijacking data from Google paints a clear picture of the threats facing Internet users today,” Mark Stanislav, security project manager with Duo Security, told the E-Commerce Times.
One particularly interesting result: Google observed a 2:1 rate of phishing campaigns targeting email accounts versus banking information, Stanislav pointed out.
That “makes a lot of sense,” he said. “Once an attacker can access a user’s email account, they can often perform password-reset operations for many sites and services, allowing them to go much further into a person’s life than just a single bank account could.”
Also notable is that only 14 percent of accounts relying on “challenge questions” for account recovery succeeded in restoring access, while the rate was 81 percent when a user leveraged SMS to do so, Stanislav added.
“This statistic shows that users who do get hijacked need a reliable means that is more physical rather than knowledge-based to recover accounts easily,” he explained. “This same principle can extend to the reason why authentication that uses a user’s smartphone is a great means to prove that they are who they say they are.”
Two-factor authentication technologies are a key to reducing attackers’ success rates, Stanislav said.
Attacks on the Rise
While Google has used the findings of its study to improve the account security systems it has in place, it also encouraged users to be proactive, such as by reporting suspicious emails, giving Google a backup phone number or secondary email address for emergency contact, and using two-step verification.
“There is a shared responsibility on the consumer side to educate themselves regarding phishing and online fraud,” Ken Westin, security analyst for Tripwire, told the E-Commerce Times. “It is particularly timely given the holidays, when phishing and cybercrime in general are on the rise.”
Two-factor authentication is “a good idea all around,” Westin noted, “and not just for email but also social media accounts — most mainstream services provide this feature.”
In general, “consumers should never click on a link that appears to come from your bank or financial institution,” he warned.
“Instead, go directly to your browser, enter the URL of the bank and log in directly,” Westin advised. “If it is an urgent matter, it is recommended that you call your bank directly to verify.”