According to a survey of more than 4,500 online U.S. adults in August 2007 (which was representative of the online U.S. adult population) the attacks were more successful in 2007 than they were in the previous two years. Of consumers who received phishing e-mails in 2007, 3.3 percent say they lost money because of the attack, compared with 2.3 percent who lost money in 2006, and 2.9 percent who did so in 2005, according to similar Gartner surveys during those years.
"Phishing attacks are becoming more surreptitious and are often designed to drop malware that steals user credentials and sensitive information from consumer desktops," said Avivah Litan, vice president and distinguished analyst at Gartner. "Anti-phishing detection and prevention solutions are available but not utilized widely enough to stop the damage. These must be deployed and combined with solutions that also proactively detect and stop malware-based attacks."
"Customer-facing organizations cannot expect their customers' desktops to be protected from malicious code, nor from e-mail and/or advertising traps that lure innocent consumers to Web sites that turn out to be infection points," Ms. Litan said. "In fact, 11 percent of online adults say they don't use any security software (such as antivirus or anti-spyware products) on their desktop, and another 45 percent only use what they can get for free."
The average dollar loss per incident declined to $886 from $1,244 lost on average in 2006 (with a median loss of $200 in 2007), but because there were more victims, $3.2 billion was lost to phishing in 2007, according to surveyed consumers. There was a bit of relative good news, however; the amounts that consumers were able to recover also increased. Some 1.6 million adults recovered about 64 percent of their losses in 2007, up from the 54 percent that 1.5 million adults recovered in 2006.
PayPal and eBay continue to be the most-spoofed brands, but phishing attacks increasingly employ devious social engineering attacks, impersonating, for example, electronic greeting cards, charities and foreign businesses.
Thieves are increasingly stealing debit card and other bank account credentials to rob accounts — targeting areas where fraud detection is weaker than it is with credit card accounts. According to the survey, of those consumers who lost money to phishing attacks, 47 percent said a debit or check card had been the payment method used when they lost money or had unauthorized charges made on their accounts. This was followed by 32 percent of respondents who listed a credit card as the payment method, and 24 percent who listed a bank account as the method (multiple responses were allowed).
"Criminals have stepped up attacks on debit card and bank accounts, where back-end fraud detection systems are traditionally weaker than they are with credit card accounts," Ms. Litan said. "Fraud detection and authentication systems deployed widely in online banking in response to FFIEC banking regulator guidance are already a step behind fraudsters' latest techniques and must be updated to guard against browser hijackings, "man in the middle," and other hidden malware-based attacks often delivered to users through phishing e-mails. Regulators must get a better handle on the problem through consistent and timely bank reporting on their fraud incidents and losses."
Ms. Litan said bank regulators appear to be in the dark when it comes to measuring damage from phishing attacks. The University of California at Berkeley conducted a Freedom of Information Act request, asking the Federal Deposit Insurance Corporation for all bank-reported data on fraud attacks between January 27, 2005 and May 30, 2007. Gartner and UC Berkeley analyzed these data and found spotty, unreliable and unstructured data reported by U.S. banks to the regulator. Just 451 unique incidents were reported in this period. "The data quality was so poor that it was impossible to draw any conclusions from it other than that the regulatory reporting on fraud attacks is severely lacking," Ms. Litan said.
Phishing and malware attacks will continue to increase through 2009 because it's still a lucrative business for the perpetrators, and advertising networks will be used to deliver up to 30 percent of malware that lands on consumer desktops.
Gartner sees no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers (which theoretically can be any legitimate Web site or service) have incentives to keep malware from being planted on their Web sites to reach unsuspecting consumers.
"Enterprises should at least protect their own brands from being used in phishing attacks by subscribing to an anti-phishing solution," Ms. Litan said. "Similarly, companies should subscribe to anti-malware services that detect malware targeting the firm's customers, and prevent it from spreading across consumer desktops. Custodians of consumer financial accounts must protect those accounts through fraud prevention, stronger user authentication and transaction verification."