Phishing: Expected Costs

In the previous post, I calculated the cost, in statistical terms, of identity theft for the typical person. But identity theft is not the only danger – what about the risks of phishing?

Consumer Reports, in their 2008 State of The Net report, claims that the likelihood of getting phished this year is 1 in 94, or just over 1%. The total amount lost to phishers nation-wide is estimated to be $2 billion.

Worry or Keep Cool?

If 1 in 94 American adults lost money to phishers, it means that $2 billion in costs were distributed amongst 2.4 million victims. From that statistic, we can figure that the average cost per person was about $835. If your chances of getting phished are 1 in 94, you can expect to lose (in statistical terms) $9 per year to phishers.

Now, knowing that you are likely to lose $9 per year in statistical terms is a bit of strange concept. In any given year, you will either lose a large sum like $835 or nothing at all. It might be easier to think of the $9 per year as something each person should be willing to spend to avoid the consequences of phishing.

For example, everyone in the country could contribute $9 per year into a phishing fund and distribute the money to the victims of phishing. Those who contribute but don’t fall victim to phishing get peace of mind out of the deal. The victims get compensated for what they lose. Everyone wins as long as peace of mind doesn’t cost more than $9 per year. Beyond that, it’s best to take your chances!

A convincing con

PayPal fraudulent email

A few days ago, I got a fraudulent email purporting to be from PayPal, which was surprisingly convincing.

The email’s most credible feature was its timing, which coincided with a recent PayPal transaction of mine.

Close…

Here’s why I was almost caught out:

  1. The message was addressed to me, Ian Saxon, not “Valued Customer”
  2. The email appeared to come from a legitimate PayPal email address (service@paypal.com)
  3. The contents were mostly well written. I noticed only four spelling and grammatical mistakes.
  4. I used PayPal recently, making it plausible that the company would want to check that the transaction was legitimate

…But not quite

The email was certainly not legitimate. Here’s how I knew:

  1. There were spelling and grammatical errors. Don’t kid yourself – the real PayPal has proof readers
  2. The email asks me to send photocopies of sensitive stuff (passport, drivers licence, bank statement)
  3. I was asked to respond to security@paypalfraudchecking.com, which doesn’t have the usual @paypal.com suffix
  4. A quick Google search of a section of text in the email yielded warnings of PayPal scams

The most convincing of the evidence against the veracity of the email was #4. Take a look at the results:

Email from my bank after I changed my password

To get this, I simply highlighted a portion of the email message (“PayPal is constantly working to ensure security by regularly screening the”), pasted it into Google’s search bar, and hit Search. It works just as well with or without quotes. As you can see, every result was a warning about this scam.

Read more about phishing

The cost of phishing

Late last year, Consumer Reports determined by survey that one in 81 Americans got phished in 2007. The average phishing victim lost $200.

What does this mean for you?

People who assess risk often talk about “expected costs”, which they calculate by multiplying the probability of an event by its cost. The expected cost, then, of getting phished in a given year is 1/81*200 = $2.50.

How can we make sense of the $2.50 figure? One way to think about it is this: it is the amount you would have to pay an insurance company each year for them to be willing to pay out your losses to phishing, should they occur. If the insurance company covered all Americans at this rate, they would break even on their costs.

Seen this way, the threat of phishing isn’t that great. The danger of identity theft when phishers get your bank account information is perhaps greater, but the actual monetary loss, at least on average, is minimal.

Banks get it

I changed my banking passwords today, something I do about every three months. After doing so, I received emails from each bank informing me that my passwords had been changed – and advising me that I ought to get in touch with them if I had not done the changing. Here’s the email I got from RBC:

Email from my bank after I changed my password

What they get right

They get a couple things right. First, sending an email to me when my password is changed is a great idea. If someone else had changed my password, I would learn about it quickly. (What would happen, though, if that person changed the email address on file at the same time? No problem: when an email address change is made, a notification is sent to the old email address.)

Second, they assure me in the email that “RBC will never ask you to provide, confirm or verify confidential information like your online banking ID, password, account numbers, balances or PIN through regular email.” That’s super. If I ever get an email asking me to confirm confidential information, I’ll know it’s fake.

What they get wrong

I do have one minor complaint. It would be better if my bank refrained from including phone numbers and clickable links in the email. I could imagine a scenario where a phisher sends an email identical to this one, except that the links and phone numbers direct the user to a phishing source. Once the user is on the phisher’s website or is talking to a phisher, he might forget all about the promise in the email to never ask about confidential information.

On the other hand, if banking customers get used to the idea that legitimate banks never send emails with links or phone numbers inside them, phishers would have trouble indeed getting people to contact them.

Edited to Add (2 Mar 2008): Note that my bank included my name in the email, something many banks do. So if you ever receive an email from what is ostensibly your bank that lacks your full name (“Dear Customer” or the like), be wary.

Read more about passwords,phishing

Taxes and phishing

Man's hand grabbing pile of cash

The Canada Revenue Agency is warning taxpayers to watch out for phishing scams this tax season. They have a good description of how these scams work:

  1. You receive an unsolicited e-mail or phone call promising you a significant amount of money, in the form of a lottery or sweepstakes jackpot, or a tax refund.
  2. To receive the promised money, you are asked to provide either an upfront deposit or confidential banking information, such as credit card or bank account numbers and passwords.
  3. You are then told that someone will get back to you with the promised payout, which doesn’t happen.
  4. When you try to recover the money, you find that the individual who contacted you has disappeared or never gives you a straight answer.

Good to know, particularly if you recognize what is happening at stage 1.

Read more about phishing

« Previous PageNext Page »