Phishing Damage Estimations

Trusteer operatates the anti-phishing browser plugin Rapport. Based on measurements performed by Rapport, they were able to estimate the average damage done by phishing. A succesful phishing attack is counted if the Rapport plugin detects that the user tries to enter credentials into a phishing web site.

Assuming that each successful phishing attack steals between 500$ and 2000$ they arrive at an average damage of 2$ to 9$ per online banking user per year.

This seems a lot but it also explains why banks seem to take phishing so lightly: Any kind of security token will certainly cost more per user and year.

What about Rapport itself? It seems to be well suited here if it helps against phishing and costs the bank less than the 9 Dollars mentioned above. Which is no surprise, as all the numbers come from Trusteer. I would like to know whether it also helps against trojans and man-in-the-middle attacks.