Friday, May 8, 2009

Real World Phishing Statistics

Over the last two days I have been dealing with the fallout of a big phishing message that hit our organization.  We had two messages come out in two days and one of them was really well done.  It had no grammar mistakes and it used the proper name of our organization and our services.  The spoofed reply to address even matched our domain, which has not been the case in previous phishing messages.  This one was head and shoulders above the rest.

We had to field a lot of calls from people asking about this message.  We get phishing messages every day so I have to admit that I am a little bit jaded about them now.  But after we got a few calls I ran a query to find out how many of these had come in and when we saw that it was a rather large number (465 users) we decided that we needed to take some action.  We queried our outgoing mail and locked the user account of anyone that responded to the message in any way.  The next day the second message came in and it went to about 840 users.  This time we hijacked the return address so that anyone who sent a response went into a mailbox that we control instead of the phisher.  This was helpful in preventing misuse of our systems, but it also allowed us to gather some statistics that I'd like to share with you.  Keep in mind that these are statistics for one single incident at a college in the Midwest United States.  It would be foolish to think these numbers will hold true for any organization in any part of the world.

The two messages went to a total of 853 unique users (there was some overlap in the two messages).  Of those 853 users, 29 responded to the message.  We have about 14,000 user accounts so that means that we can say with 95% confidence that 3.34% (+/- 1.17%) of our users will provide *SOME* response to a well-crafted phishing message.

Of the 29 total responses, we were able to intercept and examine 13 of them.  Of the 13 we found that 11 of them had responded with a username and password.  The other people told the phisher to "piss off" or asked if the request was real.  Based on these numbers we have a sample size of 29 out of a population of 853 and 84.61 provided their password.  So we can say with 95% certainty that 84.61% (+/- 14.83%) of responses to phishing messages contain the username and password.

There are a couple interesting demographic things you should know about our organization and my methodology for coming up with these numbers.  First of all, I came up with the statistics using the sample size calculator here:
Next, our organization has about 14,000 users most of whom are from the Midwest and most of whom are between the ages of 18 and 22.  10% of the population has been through a computer-based computer awareness training program, and the organization sends email reminders about phishing about twice a year.

One thing that no human or machine could count is the number of calls, emails and shouts in the hallway asking if the message was real or not.  That actually consumed more of my time than dealing with the 29 people that responded to the messages.  So if you're ever working through how much a phishing attack might cost your organization, make sure you add in the value of people's time dealing with the same question about 6 million times.  6 million times in an organization with about 14,000 users.  That's a good starting metric, but you may get more.  

No comments: