STAMFORD, Conn. – Phishing attacks in the U.S. soared in 2007, with a total of $3.2 billion stolen. The number of adult phishing victims jumped from last year, as 3.6 million adults lost money in the 12 months ending in August, compared with the 2.3 million who did so the year before, according to a recent survey by Gartner Inc.
The research company polled more than 4,500 online U.S. adults in August to determine the severity of the attacks. Of the consumers who received phishing e-mails in 2007, 3.3 per cent said they lost money because of the attack, compared with Gartner findings from previous years: 2.3 per cent lost money in 2006, and 2.9 per cent were victimized in 2005.
According to Avivah Litan, vice president and distinguished analyst at Gartner, phishers are becoming more sneaky, with messages often designed to drop malware that steals user credentials and sensitive information from desktops.
“Anti-phishing detection and prevention solutions are available but not utilized widely enough to stop the damage,” Litan said in a statement. “These must be deployed and combined with solutions that also proactively detect and stop malware-based attacks.”
PayPal and eBay continue to top the list of most-spoofed brands, but phishers are getting more devious, impersonating electronic greeting cards, charities and foreign businesses.
Litan added that organizations couldn’t expect their customers’ desktops to be protected. Eleven per cent of respondents said they don’t use any security software on their desktops, while another 45 per cent said they only use what they can get for free.
While the average dollar loss per incident dropped from $1,244 in 2006 to $886 in 2007, more people were duped by phishing scams this year, which added up to more total dollars lost. There was some good news, though: recovered amounts also increased. Approximately 1.6 million adults recovered about 64 per cent of their losses in 2007, up from the 54 per cent of losses that 1.5 million adults got back in 2006.
Debit cards and other bank account credentials are increasingly sought after by thieves trying to rob accounts, since back-end fraud detection systems in these areas are traditionally weaker than they are with credit card accounts. Of those respondents who said they lost money in phishing scams, 47 per cent said they had been using a debit or cheque card as their payment method at the time they lost money or received unauthorized charges on their accounts. Meanwhile, 32 per cent listed a credit card as the payment method, and 24 per cent cited their bank account.
Even though fraud detection and authentication systems are being widely deployed in online banking, they are “already a step behind fraudsters’ latest techniques,” said Litan. The systems need to be updated to guard against attacks such as browser hijackings, or man-in-the-middle attacks, whereby the victim communicates with a legitimate Website via a fake URL sent by the fraudster, who then captures the victim’s personal information in real time.
Litan also noted that bank regulators seem to be in the dark when it comes to measuring damage from phishing attacks. Under a Freedom of Information Act request, the University of California at Berkeley (UC Berkeley) asked the Federal Deposit Insurance Corp. for all bank-reported data on fraud attacks between January 27, 2005 and May 30, 2007. Upon analysis, Gartner and UC Berkeley found the data to be spotty, unreliable and unstructured, with only 451 unique incidents reported in this period.
Gartner predicted that phishing and malware attacks would continue to increase through 2009, seeing as they’re still so lucrative for perpetrators. Advertising networks will be used to deliver up to 30 per cent of malware that lands on consumer desktops.
Litan said there’s no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing messages from reaching people in the first place, and unless advertising networks and other “infection point” providers — which theoretically could be any legitimate Website or service — have incentives to keep malware from being planted on their Websites.
“Enterprises should at least protect their own brands from being used in phishing attacks by subscribing to an anti-phishing solution,” Litan said. Companies should sign up for anti-malware services to protect their customers and prevent malware from spreading, while consumer financial accounts need better fraud prevention and stronger user authentication and transaction verification.
This column was written by Patricia Pickett of ConnectIT
a>>
