Phishing For Trouble

The number of U.S. adults that are sure or think that they have received phishing emails has nearly doubled since 2004, according to a new survey by Gartner. Financial losses stemming from these attacks have risen to more than $2.8 billion in 2006. "The good news is that, this year, fewer people think they lost money to phishers, but when they did lose, they lost more," says Avivah Litan, vice president and distinguished analyst at Gartner. "The average loss per victim nearly quintupled between 2005 and 2006, and the thieves seem to be targeting higher-income earners who are also more likely to transact on the Internet." According to the survey, approximately 109 million U.S. adults have received phishing email attacks, up from 57 million in 2004. The average loss per victim has grown from $257 to $1,244 per victim in 2006. The average amount of money consumers recovered from phishing attacks in 2005 was 80 percent, but in 2006, recovery amounts dropped to 54 percent. Additionally, high-income adults earning more than $100,000 per year are more heavily attacked. This group reported receiving an average of 112 phishing emails in the past year versus 74 emails per consumer across all income brackets. The high-income adults lost on average $4,362, almost four times as much as other victims. Phishing emails that reach consumers are impersonating banks less often, and other brands, such as PayPal and eBay, more often. Banks and credit card company refunds to consumers who lost money because of phishing attacks are declining as a percentage of total refunds, while refunds from non-financial services companies and retailers are growing as a percentage of total funds. "Cyber-criminals are starting to shift away from attacking online banks directly, and they are leveraging less conventional brands and/or using hard to detect social engineering methods to reap financial gains," Litan says. "Countermeasures such as phishing detection and take-down services deployed by banks, Internet service providers, and other service providers are not sufficiently widespread or effective." According to the Gartner survey of 5,000 online adults, an estimated 24.4 million Americans have clicked on a phishing email in 2006, up from approximately 11.9 million in 2005, while 3.5 million have given sensitive information to the phishers, up from 1.9 million adults last year. Recent browser upgrades (such as with Microsoft's Internet Explorer and Mozilla's Firefox) will try and flag known phishing attack sites to consumers, but Litan says many attacks can still slip by. "Many of the browser upgrades are still incomplete and immature in terms of protections afforded," Litan says. "For at least two more years, phishing attacks will continue to increase since it's still a lucrative business for the perpetrators." The fear of phishing attacks is having a dramatic impact on non-solicited emails and email marketing, as more adults delete emails if they don't know the person sending them. Among respondents who say their trust in email has been adversely affected by the recent spate of security-related incidents, 85% delete emails they don't trust without opening them first. "The anti-phishing measures some enterprises have put in place to protect their brand and their consumers are not working," Litan says. "Phishers are moving from site to site to launch their attacks more quickly than ever. The average life of phishing sites has gone from one week a couple years ago to about one hour in 2006. Within a year or so, phishing sites may be user specific--that is a single site will be set up to launch a phishing attack against a single user. It's no wonder the detection services can't keep up with these rapid criminal movements." Related articles: McGruff Sinks His Teeth Into Cybercrime Business Signatures Bans Bank Bunko