About half of those online bankers who do visit fraudulent phishing sites pretending to be from their financial institution serve up their log-in credentials, according to Trusteer, an international anti-phishing specialist.
Fortunately, that's a very small number, but the financial losses could still mount up, the company said.
The company said an analysis of phishing attacks against 10 large U.S. and European banks over a three-month period found that about 1% of phishing e-mail recipients visit the fraudulent sites and that half of those then entered their credentials, presumably into the hands of waiting cyber-criminals.
The potential financial loss for that relatively small number of affected accounts would range between $2.4 million and $9.4 million a year per one million online banking clients, Trusteer said.
Trusteer, based in Israel and New York City, said its Rapport anti-phishing Web browser plug-in is now in place on about 3 million computers across North America and Europe. Its client list includes 24 banks and $3.5 billion Pennsylvania State Employees CU.
