Criminals running phishing scams are raking in more money than ever, with the average loss jumping fivefold in the last year and the percentage of money recovered plummeting, according to a survey published Thursday by research firm Gartner.
"Phishing e-mails are getting through, and when they do steal, phishers are getting five times the amount they did in 2005," said Gartner analyst Avivah Litan. "They're getting better, much better, at their schemes." Litan pegged the total loss to phishing in the 12 months ending Aug. 30 at a whopping $2.8 billion.
Although some analysts have pegged phishing attacks as leveling off, Litan scoffed at the notion. "It was presumptuous of us to think that phishing would be solved, much like spam has been, and would be only so much 'noise' on the Internet," Litan said.
According to Litan's research, almost twice as many Americans admitted that they'd received a phishing e-mail in 2006 as did in 2004. The survey's tallies correlate to 109 million consumers seeing an attack in 2006, compared to 79 million in 2005 and just 57 million in 2004. More consumers also acknowledged that they'd gone as far as to actually click on a link in a phishing e-mail; in 2006, the percentage of those who said they'd received a phish and clicked on a link was nearly 25 percent. In 2005, the number was only 15 percent.
Even more distressing, said Litan, was that while the number of people who said they'd lost money to online fraud went down by 24 percent, the average loss skyrocketed from $257 in 2005 to $1,244 in 2006. Worse, the percentage of the lost money that was recovered or refunded to the consumer dropped precipitously.
"The recovery rate has gone from 80 percent of the loss to just 64 percent," said Litan. That translated into a tenfold leap in the out-of-pocket hit on the average phishing victim. In 2005, for example, after recovered funds were factored, victims were out an average of $51; in 2006, that jumped to $572.
Trends like that are alarming, said Litan, and point out the rapid shift in phishers strategies. "The amounts that big banks are losing is going down," said Litan. Security protections implemented by large financial institutions -- such as Citibank and Bank of America -- have squeezed losses. "They're paying less money out. But the phishers are just going down the totem pole. They're using sweepstakes offers, lottery offers, fake auctions, and attacking PayPal."
Litan called the traditional phishing attack, where criminals try to dupe consumers into divulging their bank or credit card account username and password, "old hat."
Instead, attacks have moved into what Litan called unconventional territory, attacks using techniques that don't directly involve a bank or credit card account, but that leave the victim little or no recourse for recovering losses. One example: Western Union money transfers to "sellers" of fake auctioned items. "In most cases, payments made with non-bank money transfer systems are final and consumers can't reverse them once the money is moved," said Litan.
Fighting phishing is tough for the consumer, Litan agreed. The criminals seem to always be a step, or more, ahead. Anti-phishing features in the newest browsers, such as Microsoft's Internet Explorer, for example, are obsolete by the time they're introduced.
"A year ago, the average lifespan of a phishing site was a week," said Litan. "Now it's close to an hour. Most anti-phishing toolbars are largely based on blacklisting [known phishing sites]. You can't blacklist an IP address that changes every hour. By the time that IE 7 came out, it was too late to be much help."
While some technologies look promising -- white lists, or lists of trusted sites, is promising, said Litan, as is heuristic-based fraud detection if it's built into the browser -- the immediate future looks grim.
"When you lose to a phisher, you'll lose bigger and you won't get your money back," said Litan. "Less conventional attacks mean that losses will go up in 2007 even as the number of successful attacks go down. In the end, more money will be lost next year."