Google has released a new infographic to visualise some quite remarkable figures about phishing attacks. The information, gained through statistical analysis of their Gmail service, provides an insight in to the efforts that would-be attackers will go to to get access to your accounts, and the value that they attribute to them.
Phishing attacks differ from malware based attacks in that they don’t attempt to gain access to your PC or install any software. Instead phishing emails pretend to be from a known source, say your bank or eBay, and attempt to get your logon details for that service. They’ll include a link back to a very believable looking website – typically an exact clone of your online banking logon page, or the ebay sign in page – and once you have attempted to log on to this fake site your details will then be used by the attacker to access the real site. The level of details in these emails and websites can sometimes be very impressive and often the only clue as to their nature is a slight variation in the domain name being shown in your browser.
Google show that the best phishing sites manage to succeed in tricking people in to entering their details 45% of the time. They report that “our research found some fake websites worked a whopping 45% of the time. On average, people visiting the fake pages submitted their info 14% of the time, and even the most obviously fake sites still managed to deceive 3% of people.” .
That’s immense. Let’s look at that statement again. “…even the most obviously fake sites still managed to deceive 3% of people”. Given that a spammer can send out millions of emails very easily, even a 3% success rate means tens of thousands of user accounts being compromised in a simple attack. If the attackers are willing to really put in the effort to clone a target website, and if they target known users of that site – say because they have managed to grab a list of known account emails from that site – then out of a million emails sent out nearly 450,000 user accounts could be compromised.
Google also make mention of hyper-targeted phishing attacks in which attackers will target specific users. Clearly this takes a much greater amount of skill to pull off, and you have to be a target of some value to justify the effort, but the success rate is likely to be much higher. Fortunately the number of attacks are far far fewer with Google reporting about “9 incidents per million users per day”.
Speed is clearly of the essence. As soon as a user enters their logon information in to one of these sites it’s going to be clear that something is up. Most sites will show a very realistic error screen but the user won’t take long to figure things out. As a result the attackers move fast, with Google saying that “around 20% of hijacked accounts are accessed within 30 minutes of a hacker obtaining the login info.” Once your account is compromised it’s most likely that your passwords will be changed and your contact details altered, effectively blocking all access to your account.
How to prevent yourself from being the victim of a phishing attack
It’s hard to prevent this from happening completely. We live busy lives, receive a ton of emails each day, and sometimes you just click on the wrong link. However there are two simple golden absolute must-have rules.
- Never click on a link in an email, even from an institution that you know such as eBay or your bank. Instead go to your browser and manually type the address of the site or Google them and click through from the search results.
- Enable two factor authentication. Most services such as Google Apps, Twitter and Office 365 all support a double layer of authentication, requiring your username, your password and also a one time code generated by either an app on your phone or via a dedicated device such as a keyfob. It’s so easy to use that there is no reason why you shouldn’t do this right now.
- Setup web filtering either on your firewall or in your desktop AV app. This will assess all the sites that your users are visiting and prevent their browser showing any sites which are pretending to be something they aren’t.