88% of Phishing Attacks Succeed in Accessing Bank Accounts

By William Peña – Journalist, contributor at ITBS

Cybercriminals never rest, and phishing remains by far one of the most effective attack methods, even though warnings about this technique are issued daily.

Its success largely stems from the fact that people access websites from anywhere without checking whether they are the official pages of banks or service companies. They also click on any email or link that arrives on their device or computer without verifying whether the page truly belongs to their bank.

An analysis conducted by several cybersecurity companies revealed that 88% of phishing attacks aim to obtain login credentials for various online services.

To a lesser extent, these threats also seek other types of information: 9% focus on collecting personal data, such as names, addresses, and dates of birth, while 2% target information related to bank cards.

Everything Is for Sale on the Dark Web
These campaigns also seek personal and banking information, which can later be resold on the Dark Web for as little as $50.

The findings show that most fraudulent pages send stolen data through email, bots installed in messaging apps like Telegram, or attacker‑controlled panels, before the information enters clandestine buy‑and‑sell channels.

Data obtained through phishing is rarely used only once. Stolen credentials from different campaigns are often grouped into large databases and sold on Dark Web marketplaces, sometimes for very low amounts.

Prices vary significantly depending on the type of information: less than one dollar for access to global internet portals, $105 for cryptocurrency platforms, and up to $350 for online banking services.

Hacking Made Easy
Personal documents such as passports or official IDs are sold for an average of $15, with prices influenced by factors such as account age, available balance, linked payment methods, and security settings.

As these datasets grow and are combined, cybercriminals can build detailed digital profiles that later enable targeted attacks against executives, financial staff, IT administrators, or individuals with valuable assets or sensitive documents.

Once usernames, passwords, phone numbers, and personal data are collected, they are grouped, verified, and sold—even long after the initial theft. When combined with new information, even older data can facilitate account takeovers and targeted attacks against both individuals and organizations.

Given this scenario, companies must understand that investing in cybersecurity is not optional—it is essential. Investing in platforms with robust solutions protects against all types of cyberattacks, which is especially important at a time when hackers seem to stay one step ahead in cybersecurity matters.