Google Research published this report on their findings (PDF)
about phishing websites. One of their findings is that as many as 45% of visitors give up personal identifiable information (PII) when they arrive at a phishing site. The less successful sites captures data from around 3% of the visitors only.
Another important factor the research show is that most accounts are being exploited within 30 minutes from the information was given up to the phishing site. This show just how quickly the crooks are moving, and how fast we must change passwords if we suspect that we gave up information on a phishing site. It is also a strong case for two-factor authentication systems.
From a security culture perspective, implementing a training strategy where users who suspect they have been given up information to a fraudulent site, get trained on what to do after the fact, makes sense. Some actions to take may include:
- Create a workflow to report and handle phishing attempts
- Train end-users in the workflow
- Build a positive experience for the end user when they report an incident
You can use the Security Culture Framework to organize the workflow and training aspects.