According to poll of consumers conducted for Google, more people are concerned about their identity being stolen or their accounts being hacked than someone breaking into their home.
Clearly, people are highly sensitized to the issue of identity theft and various forms of online mischief. The question is, how good are we in protecting ourselves against these threats?
Further Google analysis has determined that the biggest threats come from so-called “manual hijacking,” in which nefarious attackers spend significant time exploiting a single victim, with the near-inevitable result of financial losses.
The incidence of manual hijacking is rare — about nine incidences per million users per day. But the damage can be severe.
The most common way attackers gain illicit access to online accounts is through phishing — sending deceptive e-messages designed to trick recipients into divulging their user names, passwords, and related personal information.
Unfortunately, phishing attacks are working more effectively than people would care to admit.
The most effective attacks — the ones that “look and feel” legitimate — are successful in getting people to act about 45% of the time — typically going to a fake but all-too-genuine-looking web page impersonating a “real” vendor, where the unsuspecting “phishee” is asked to provide personal information.
Incredibly, Google finds that nearly 15% of the people who go to those sites actually end up divulging their personal information.
Then it’s off to the races for the bad guys. Google’s findings show that approximately 20% of the compromised accounts are accessed within 30 minutes of the login information being nabbed.
And the breach isn’t for a just a few seconds, as some people erroneously believe. In actuality, the average amount of time spent trolling around inside an unsuspecting owner’s account is more than 20 minutes. You can bet that those 20 minutes aren’t being spent wandering around “just looking”!
The kinds of things happening inside of those 20 minutes include changing passwords to lock true owners out of the site, searching for pertinent information such as credit card data, SSNs, bank relationships data including account numbers and balances — and even social media account data.
Not only is this information used to fleece the target individual in question, but also to launch new attacks against other people who are discovered within the compromised individual’s own sphere of contacts.
These subsequent phishing attacks are often successful because they appear to be completely legitimate — communications coming from friends or relatives.
Not just successful, but really successful: Google estimates that people targeted from the contact lists of hijacked accounts are more than three times more likely to be successfully hacked themselves.
Keeping a healthy vigilance is what’s required to stymie these “manual hijacking” efforts. My own approach is to delete anything that comes from a purported “known” source if I’m not expecting the e-mail beforehand, without opening it. I figure if it’s important enough, the sender will get in touch with me a second time or in some other fashion.
If I’m particularly suspicious, I might also visit the sender’s website directly (through the web address I already have on file) to see if there’s any corroborating evidence that there is a legitimate attempt to get in touch with me.
The way I figure it, the minor inconvenience and/or delay in conducting business in this fashion is far less problematic than the potentially disastrous consequences associated with identity theft or account hijacking.
Unfortunately, there’s no indication at all that these kinds of “manual hijacking” activities will start declining anytime soon. It’s a very lucrative business for the perpetrators, because even a very small percentage of accounts compromised in this manner represents significant dollars when you consider how many millions of phishing messages are being sent out by these hijackers on the front end.
What are your strategies for counteracting phishing attempts? Please share your thoughts with other readers.
One thought on “Phishing Expeditions: How Effective Are They?”
[…] Denial of Service (DDoS) interruption. Maybe even a Telephony Denial of Service (TDoS) occupation. Phishing expeditions still fool enough people for hackers to cast nets targeting millions of email […]