That's according to Trusteer, an online security startup that markets an antiphishing Web browser plug-in.
An analysis of phishing attacks against 10 large U.S. and European banks over a three-month period found that about 1% of phishing e-mail recipients visit the fraudulent sites and that half of those then entered their credentials, presumably into the hands of waiting cyber-criminals.
The potential financial loss for that relatively small number of affected accounts would range between $2.4 million and $9.4 million a year per one million online banking clients, Trusteer said.
"Since the vast majority of phishing attacks are blocked by server-based antispam and e-mail/browser phishing filters, we decided to focus our research only on malicious messages that were delivered and were acted upon by the victims," said Amit Klein, chief technology officer at Trusteer and head of the company's research organization.
"While the fact that nearly half of the victims were tricked into giving up their online banking credentials was surprising, the aggregate value of the financial losses created by only half of one percent of a bank's customers is staggering," said Klein.
Trusteer, based in Israel and New York City, is led by former executives from Cyota/RSA Security, Imperva and NetScreen/Juniper. Its client list includes 24 banks and the $3.5 billion Pennsylvania State Employees CU.