Defending The Kingdom

In the previous post, I calculated the cost, in statistical terms, of identity theft for the typical person. But identity theft is not the only danger - what about the risks of phishing?

Consumer Reports, in their 2008 State of The Net report, claims that the likelihood of getting phished this year is 1 in 94, or just over 1%. The total amount lost to phishers nation-wide is estimated to be $2 billion.

Worry or Keep Cool?

If 1 in 94 American adults lost money to phishers, it means that $2 billion in costs were distributed amongst 2.4 million victims. From that statistic, we can figure that the average cost per person was about $835. If your chances of getting phished are 1 in 94, you can expect to lose (in statistical terms) $9 per year to phishers.

Now, knowing that you are likely to lose $9 per year in statistical terms is a bit of strange concept. In any given year, you will either lose a large sum like $835 or nothing at all. It might be easier to think of the $9 per year as something each person should be willing to spend to avoid the consequences of phishing.

For example, everyone in the country could contribute $9 per year into a phishing fund and distribute the money to the victims of phishing. Those who contribute but don’t fall victim to phishing get peace of mind out of the deal. The victims get compensated for what they lose. Everyone wins as long as peace of mind doesn’t cost more than $9 per year. Beyond that, it’s best to take your chances!

A few days ago, I got a fraudulent email purporting to be from PayPal, which was surprisingly convincing.

The email’s most credible feature was its timing, which coincided with a recent PayPal transaction of mine.

Close…

Here’s why I was almost caught out:

1. The message was addressed to me, Ian Saxon, not “Valued Customer”
2. The email appeared to come from a legitimate PayPal email address (service@paypal.com)
3. The contents were mostly well written. I noticed only four spelling and grammatical mistakes.
4. I used PayPal recently, making it plausible that the company would want to check that the transaction was legitimate

…But not quite

The email was certainly not legitimate. Here’s how I knew:

1. There were spelling and grammatical errors. Don’t kid yourself - the real PayPal has proof readers
2. The email asks me to send photocopies of sensitive stuff (passport, drivers licence, bank statement)
3. I was asked to respond to security@paypalfraudchecking.com, which doesn’t have the usual @paypal.com suffix
4. A quick Google search of a section of text in the email yielded warnings of PayPal scams

The most convincing of the evidence against the veracity of the email was #4. Take a look at the results:

To get this, I simply highlighted a portion of the email message (”PayPal is constantly working to ensure security by regularly screening the”), pasted it into Google’s search bar, and hit Search. It works just as well with or without quotes. As you can see, every result was a warning about this scam.

Late last year, Consumer Reports determined by survey that one in 81 Americans got phished in 2007. The average phishing victim lost $200.

What does this mean for you?

People who assess risk often talk about “expected costs”, which they calculate by multiplying the probability of an event by its cost. The expected cost, then, of getting phished in a given year is 1/81*200 = $2.50.

How can we make sense of the $2.50 figure? One way to think about it is this: it is the amount you would have to pay an insurance company each year for them to be willing to pay out your losses to phishing, should they occur. If the insurance company covered all Americans at this rate, they would break even on their costs.

Seen this way, the threat of phishing isn’t that great. The danger of identity theft when phishers get your bank account information is perhaps greater, but the actual monetary loss, at least on average, is minimal.