STAMFORD, CN — Phishing attacks in the United States soared in 2007, costing American consumers more than $3.2 billion according to a survey released Monday by Gartner Inc. An estimated 3.6 million adults lost money in phishing attacks in the 12 months ending in August; only 2.3 million were affected the previous year.Worse: Banks may be failing their customers by not keeping up with the latest anti-fraud and reporting technologies, making debit cards and checking accounts especially attractive targets for online criminals.
According to the more than 4,500 online U.S. adult who responded to the August survey, phishing attacks were more successful in 2007 than they were the two prior years. More than 3-percent of respondents said they lost money after responding to phishing emails during 2007, up 1-percent over 2006’s figure and up about 1.5-percent over 2005’s.
Gartner predicted phishing and malware attacks will continue to increase through 2009 because they continue to represent a lucrative business for the perpetrators. In addition, advertising networks will be used to deliver up to 30-percent of malware that lands on consumer desktops, Gartner said.
“Phishing attacks are becoming more surreptitious and are often designed to drop malware that steals user credentials and sensitive information from consumer desktops,” Avivah Litan, vice president and distinguished analyst at Gartner, said in a prepared statement. “Anti-phishing detection and prevention solutions are available but not utilized widely enough to stop the damage. These must be deployed and combined with solutions that also proactively detect and stop malware-based attacks.
“Customer-facing organizations cannot expect their customers’ desktops to be protected from malicious code, nor from e-mail and/or advertising traps that lure innocent consumers to websites that turn out to be infection points,” Litan continued. “In fact, 11-percent of online adults say they don’t use any security software [such as antivirus or anti-spyware products] on their desktop, and another 45-percent only use what they can get for free.”
The average dollar loss per incident declined in 2007 to $886 from $1,244 in 2006, but because there were more victims, $3.2 billion was lost to phishing in 2007, according to Gartner. There was a bit of relative good news, however: The amounts consumers were able to recover also increased. Some 1.6 million adults recovered about 64-percent of their losses in 2007, up from the 54-percent that 1.5 million adults recovered in 2006, Gartner indicated.
Although PayPal and eBay continue to be the most-spoofed brands, phishing attacks increasingly employ devious social engineering attacks, like impersonating electronic greeting cards, charities and foreign businesses.
Of particular concern is an increase in the number of debit cards and bank accounts that have been compromised by phishing schemes, because those targets typically are not as rigidly screened for fraud as are credit-card accounts. According to the survey, 47-percent of people who admitted losing money to a phishing attack said they had used a debit or check card to make payment. 32-percent of respondents listed a credit card as their method of payment, and 24-percent listed making payments via a checking account.
“Criminals have stepped up attacks on debit card and bank accounts, where back-end fraud detection systems are traditionally weaker than they are with credit card accounts,” Litan’s prepared statement noted. “Fraud detection and authentication systems deployed widely in online banking in response to [Federal Financial Institutions Examination Council] banking regulator guidance are already a step behind fraudsters’ latest techniques and must be updated to guard against browser hijackings, ‘man in the middle’ and other hidden malware-based attacks often delivered to users through phishing emails. Regulators must get a better handle on the problem through consistent and timely bank reporting on their fraud incidents and losses.”
Litan said bank regulators appear to be in the dark when it comes to measuring damage from phishing attacks. The University of California at Berkeley and Gartner analyzed Federal Deposit Insurance Corporation data about all bank-reported fraud attacks between January 27th, 2005, and May 30th, 2007, and found spotty, unreliable and unstructured data reported by U.S. banks.
“The data quality was so poor that it was impossible to draw any conclusions from it other than that the regulatory reporting on fraud attacks is severely lacking,” Litan said. “Custodians of consumer financial accounts must protect those accounts through fraud prevention, stronger user authentication and transaction verification.”
Although Gartner laid the responsibility for consumers’ financial-data security squarely at the feet of banks and data and advertising networks that the research firm said don’t do enough to protect Internet users, technology watchdog website FastSilicon.com editor-in-chief Nigel Woodford said the real blame lies with consumers who still appear reticent to take responsibility for their own safety.
“Treating the online world as if it were something magically different than ‘reality’ when it comes to your personal financial information is naive in the extreme, and it’s long past time for people to get this through their heads,” he wrote on Tuesday. “The real weakness here is human gullibility, and the fix is a simple one if only people would take a simple lesson to heart. Most reasonable people wouldn’t blurt out their personal financial information to a telemarketer or junk-mail marketer, so why do they do it online?
“NEVER give out personal financial information in a transaction that you did not yourself originate,” he continued. “As in NEVER. People have been taken in by con artists as long as there have been humans roaming the earth, and the solution to this behavior has been around just as long. Don’t be a fool, and you won’t be fooled.”
