Phishy e-mails and Web sites: What’s your responsibility? – Computerworld

Larry Ponemon, founder of the Ponemon Institutute, and new IT ethics columnist for ComputerWorld, writes about phishing this week.

His accout is unusual in the detail. His company surveyed 411 customers of a major retail bank that claimed to have clicked on a phishing email in May 2004 and who contacted the bank’s customer service department seeking help. Of the sample, 65 (16%) provided account details in the scam. Of those, 5 (8% of 65) reported account losses totally $50,000. Doing the math, that means a little more than 1% of those clicking on the fake email lost money, averaging $10,000 per loss, or $120 per customer who clicked. Pretty good money for the crooks if you don’t get caught.

More interesting is that 310 (75%) felt that the bank’s service reps were unprepared to deal with the problem. Nearly 60% of the total sample, a whopping 243 customers, said they would close their accounts at the bank. Even if just a quarter followed through, that’s 61 lost customers (15% of 411). Assuming each customer represents a NPV of $1000 to the bank, that’s another $60,000 in losses, bringing the total to more than $100,000.

Dr. Ponemon closes with five ideas for fixing the problem.

If you have been trying to convince senior managment to approve funding of additional security measures, by all means forward this article to them.