Nearly half (45 per cent) of those who visit the most convincing phishing pages are tricked into handing over personal information, according to Google.
This effectiveness drops to just three per cent in the case of the most obviously scummy phishing sites, while the online giant reports that the account hijackers work quickly, with one in five compromised accounts getting accessed within 30 minutes.
These figures (which exclude people who don't click on links to visit phishing pages) come from a study by Google into “manual hijacking" of compromised online accounts. It differentiates this hacking methodology from mass hijackings (typically used to send lots of spam) or state-sponsored attacks (highly targeted, often with political motivations).
"Manual hijackers often get into accounts through phishing: sending deceptive messages meant to trick you into handing over your username, password, and other personal info," Google explains in a blog post. "Even though they’re rare — 9 incidents per million users per day — they’re often severe, and studying this type of hijacker has helped us improve our defences against all types of hijacking."
Google explains a variety of security precautions (including enabling two-step verification) that can be used to protect accounts. However, it acknowledges that this process will always be a game of cat and mouse.
"Hijackers quickly change their tactics to adapt to new security measures," Google explains. "For example, after we started asking people to answer questions (such as “which city do you login from most often?”) when logging in from a suspicious location or device, hijackers almost immediately started phishing for the answers." ®