Phishing Statistics ‘Staggering’, Professor Says

26 June 2015

The success of phishing attacks, or fraudulent emails that appear to be from a legitimate company and contain malware or requests for personal information, relies on recipients’ lack of understanding of the risks associated with phishing. Due to increasing awareness of these risks, only a small percentage of the people who receive phishing emails actually open them, but because of the sheer volume of these emails sent out daily, this still represents a “staggering” number of successful scams, according to Brock University information systems professor Teju Herath.

In a speech given as part of Memorial University of Newfoundland’s Cyber-Crime Speaker Series, Herath outlined the statistics on the success of phishing campaigns worldwide. Only 3 percent of all phishing emails are successful in obtaining people’s personal information, but this is still a significant amount. Approximately 156 million phishing emails are sent daily around the world. About 16 million of these emails manage to get through spam filters, and 8 million are opened. About 800,000 people click on the fraudulent links included in the emails, and about 80,000 provide the information requested. So although 97 percent of phishing schemes fail, tens of thousands of people per day are still victimized.

Once the fraudsters behind phishing schemes get ahold of the information they need, they may use it right away, or they might wait a while in order to reduce the chances that the victims will find out about it. Crimes associated with phishing range from identity theft to credit fraud.

“People who have fallen for this identity theft called phishing, and you can see the many documentaries, it is a personal agony for them to regain their own identity,” Herath said.

According to a report from data encryption company ProofPoint Inc., hackers have largely changed their phishing tactics recently because people have become more aware of security threats on social media. Facebook and Twitter phishing seems to have become a thing of the past as the success rates of these methods have dropped.

Instead, the phishing strategy du jour has become targeting middle managers at work with emails that seem to come from within the structure of the company they work for. These emails contain malicious versions of things that might ordinarily be contained in work emails, like attached documents, voicemail links and e-faxes. According to ProofPoint’s report, because the emphasis in phishing awareness campaigns has fallen so heavily on the side of personal email and social media, these traditionally work-related links and documents don’t ring as many alarm bells for their recipients.

“Every company still clicks; every department and industry is still at risk (though financial industries and sales and marketing continue to be the top target areas); and attackers continue to shift tactics to play on human weaknesses as they siphon money and data from organizations,” the report concluded.

To avoid falling victim to a phishing scheme, never enter personal information into a website you access through an embedded link in an email. It can also be helpful to sign up for a credit monitoring service to alert you to certain changes in your credit files.