A survey by First Data Corp. in 2005 found 43% of US adults had received at least one fraudulent email, in most cases purporting to be a financial institution. Of those, about 1 in 20 – or 4.5 million people – provided the requested information and about half of those ended up being victims of theft or identity fraud. According to antiphishing.org, 89.3% of all phishing attacks target financial institutions.
Those are some large numbers but I have to admit that my first reaction was to ask "who are those lucky 57% who have not yet received a phishing email?" Many of them simply do not have email. For the remainder, unfortunately the question answers itself. They are the people who have not yet received their first phish.
Phishing emails attempt to trick the reader into believing that the message is from a trusted source and following their "convenient" link to a fraudulent site which looks and feels just like the official site but which is designed to steal the user's private information. Even though this doesn't fool most consumers, phishers rely on "spam economics" – they can make money even if only a fraction of a percent of their scams succeed.
Phishers are beginning to add to their tactics. Many are providing a fraudulent telephone number in the email rather than just a fraudulent hyperlink. The criminal then sets up his/her own IVR system to steal your information when you call in. Others are making increased use of trojan horses – programs which are covertly installed onto your computer and which either log all your keystrokes or install a backdoor through with the criminal can take control of your computer.
Never trust anything sent in an unsolicited email. Never directly answer any request for your private information. If you think the request might be legitimate, type the company's address into your web-browser yourself. If this is a real request, expect it to be prominently displayed on your account page on the company's real website. If you are going to call them by phone, get the phone number off of your last paper statement. Never trust the "convenient" number on the email. Finally, remember that no reputable financial institution will ever ask for your personal information via email.
Incidentally, in 2005 the Federal Trade Commission estimated that 9.93 million persons were affected by identity theft, causing a loss to financial institutions of $46.9 billion. Combining that with the statistics above, phishing accounts for only about one quarter of all identity theft cases. This is consistent with other studies which show that most ID theft is based on paper documents. We should still be vigilant against these kinds of scam messages but we should be even more vigilant about making sure that our paper waste is properly destroyed.