Google published a research paper on manual account hijacking, fraud, and extortion. The full research paper can be read here. I would recommend reading to fully understand the research methods and sample size data.
What is phishing? I found a good definition from Wikipedia including links to other security topics.
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofingor instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. Many websites have now created secondary tools for applications, like maps for games, but they should be clearly marked as to who wrote them, and you should not use the same passwords anywhere on the internet.
Some surprising revelations from the study (at least to me):
- 45% of the effective phishing websites are able to harvest data from the users
- 99% of the HTTP refers were blank meaning that 99% of the traffic to the phishing website was generated by email
- >99% of the email addressed that were phished came from .edu domains, it appears that the schools have the worst spam filters. So hackers are targeting schools for phishing attacks.
- 20% of the accounts are accessed within 30 minutes of harvesting the information and 50% within 7 hours.
There is a boatload of interesting information in the paper. My takeaway is that phishing scams are successful and will continue to grow in the near future. Protect yourself do not follow links in email, always access your banking information from your browser not an email link.