More than 5-million US consumers lost money to phishing attacks in the 12 months ending in September 2008, a 39,8% increase over the number of victims a year earlier.
In September of 2008, Gartner surveyed 3 985 US online adults to determine the number of US adults who have been victimised by phishing attacks, as well as the methods being used by criminals to execute these crimes.
The survey uncovered a trend toward higher-volume and lower-value attacks. Although the number of consumers who lost money to phishing attacks increased in 2008, average losses decreased. The average consumer loss in 2008 per phishing incident was $351.00, a 60% decrease from the year before.
Phishing attacks continue to exact financial damage on consumers and financial institutions. Consumers recovered 56% of their losses, meaning that most fraud costs were borne by consumer banks, PayPal and other financial service providers.
"The survey findings underline the fact that the war against phishing is far from over," says Avivah Litan, vice-president and distinguished analyst at Gartner. "Despite the rollout of a wide range of security measures designed to stem phishing, the truth is that many of them are not yet adopted widely enough to reverse this tide and, in many cases, their effectiveness is only partial."
Litan says measures targeted at stopping phishing include phishing e-mail blocking, safe browser surfing features, the use of site authentication to assure users they are on a legitimate website, the detection of phishing attacks, and the take-down of the criminal sites servicing those attacks.
Gartner recommends that organisations continue to deploy and improve security solutions that protect accounts and customers against attacks. Organisations that are custodians of customer accounts should also consider site authentication or assurance to confirm to a customer that he or she is on a legitimate website and not a spoof site. In addition, antiphishing services can proactively look for phishing attacks against named organisations before they are launched and take them down on detection.
Companies providing e-mail services should investigate "secure" e-mail gateways that can block phishing e-mails from reaching customer in-boxes using a variety of methods from e-mail analysis to accepting only properly signed digital e-mail. End users can also increase their own protection by using safe-browsing tools that can provide a warning when accessing a known or suspected phishing site.
"None of the solutions are foolproof, however, and determined crooks will manage to get around them, so a layered security approach, involving all parties, will yield the best results," says Litan. "This strategy must include continuous fraud detection, stronger user authentication, and out-of-band transaction verification for registered users."
Gartner defines phishing attacks as when hackers or cyberthieves portray themselves to users as a trusted service provider, but in fact the phisher seeks to steal the user's account information, such as credit card number, home address and phone number, or credentials, such as user IDs and passwords. Phishing is typically accomplished when the hacker sends someone an e-mail with a link inside and an invitation to go to a website, which the thief portrays as a well-known and/or trustworthy site.