"They seem to be more complacent about those risks than other age groups," Ponemon said. "Their attitude seems to be more one of a general acceptance that bad things will happen online, and that they'll just deal with it when it happens and move on."
Jennifer Gillespie, of Brooklyn, N.Y., was 25 when she was taken by a phishing scam targeting Citibank customers. She learned she had been conned when the company called to report an unusual flurry of activity on her account. Now 26, Gillespie was one of the lucky ones; the fraudsters would have had a hard time fleecing her account.
Transcript: Brian Krebs hosted Dave Jevans, chairman of the Anti-Phishing Working Group.
"My card was almost maxed out anyways," Gillespie said.
Still, she continues to shop online. "It's been frustrating and annoying, but it really wasn't that big a deal. It didn't end up costing me anything," she said.
Approximately 60 percent of those surveyed by the Ponemon institute said they had inadvertently visited a fake or spoofed site, and more than 15 percent admitted providing data to what they later realized was a phishing site. Of those who fell for the scams, 68 percent provided credit card numbers, and 62 percent handed over their Social Security numbers. Slightly more than half who fell for the phish realized they got scammed within a week of giving out their personal information, Ponemon said.
Timothy May, a 44 year-old salesman from Tomball, Texas, learned the phishers had hooked him shortly after his credit card was declined at a business lunch with a client.
"You can't imagine how embarrassing that was," May said. "Plus, I didn't even know the extent of the whole scam at that point."
May says he can't recall when or how it went down, but he remembers responding to an e-mail warning him that his bank account would be cancelled unless he updated his financial information. Later, someone tapped his checking account to buy $5,000 worth of auto parts from a store in Brooklyn. After that, fraudsters in California used his credit card number to purchase a batch of new Dell computers.
Like many other phishing victims interviewed for this series, May's experience has convinced him that the Internet is too treacherous and unpredictable a place for conducting business.
"I'll surf the Web and look at stuff, but I don't buy anything online anymore. It's just not worth it."