In a recent report, Gartner estimated that 57 million U.S. adults received a “phishing” attack e-mail within the past year, and half of those who responded became victims of identity theft.
Phishing is a tactic used to get credit card information from consumers who believe they are visiting legitimate bank and credit card sites. Usually accomplished through use of pop-up windows that piggyback on real sites, phishing has been on the scene for some time, but recent attacks have underscored how easily attackers can get hold of personal information.
Based on the representative sample in its April survey, Gartner believes nearly 11 million people, or 19 percent of the 57 million who received a phishing attack e-mail, clicked on a link in that e-mail. Of those, 1.78 million, or 3 percent, remember giving phishers sensitive financial or personal information, such as credit card numbers or billing addresses.
Although the report’s numbers are frightening, Gartner analyst Avivah Litan, the report’s author, told the E-Commerce Times that the reality is probably even worse. “I imagine that the numbers are even higher, because there are probably people who haven’t even realize that they were part of an attack,” Litan said.
According to Gartner, direct losses from identity-theft fraud against phishing attack victims now cost U.S. banks and credit card issuers about US$1.2 billion last year.
From Bad to Worse
In November and December 2003, phishing attacks vaulted into the spotlight when Visa was targeted. E-mail recipients were asked to confirm their identities as part of a new security system, and they seemed to be directed to the company’s legitimate site. When users clicked on the link, however, they were sent to a site that looked like Visa’s but did not belong to the company.
At the time, e-mail security company Tumbleweed Communications, which runs the Anti-Phishing Working Group, noted that such attacks were up 400 percent during the holiday season. Since then, the problem has gotten worse.
Dave Jevans, chairman of the Anti-Phishing Working Group, told the E-Commerce Times that he is not surprised by Gartner’s numbers because they are consistent with those seen by the working group as well.
“It’s absolutely growing worse,” he said. “In our numbers for March, there was a 40 percent increase in attacks over February. And it does not look like it is stopping anytime soon.”
Unlike spammers and hackers, who tend to be either individuals or small groups, phishers are a whole different breed.
Litan said many druglords are getting into identity theft, and it has been noted that organized-crime figures in different parts of the globe are keenly interested in phishing. The FBI and Secret Service have been putting more effort into investigating phishing rings, Jevans said, because the money may be going to fund terrorist activities.
Worse, launching attacks is now easier than ever. Software is available that makes such attacks easy to develop and run.
“Once you have the software in the system, you basically just pick a target,” Jevans said.
If the incidence of phishing keeps increasing, it could have a devastating effect on consumer confidence. In her report, Litan wrote, “Eventually, all participants in Internet commerce will be hurt by diminished consumer trust in online transactions.”
There are ways to stem the tide of attacks, she said, in both the immediate future and the long term. For example, stronger authentication on the Internet would go far in stopping attacks.
“The days of just asking for a password are coming to an end,” she said. “Passwords are ridiculously easy to break.”
Some vendors, like Brightmail, also are making anti-phishing solutions that show promise.
Without high-powered tools available to fight phishing, it is unlikely that the practice will come to an end.
That is because phishers rely on credulous Internet users — and John Movina, spokesperson for the Coalition Against Unsolicited Email (CAUCE), told the E-Commerce Times that there are more than enough of those to keep identity-theft rings going strong.
“I’m still continually surprised at how much people believe the stuff that comes into their e-mail inbox,” he said. Even when warned that giving out personal information and financial data is dangerous, people will still do it, he added.
“Not to be too insulting to my fellow Internet users, but these types of models like phishing depend on people not being smart,” Movina said. “And they’re working. It’s like the P.T. Barnum business model, with a sucker born every minute.”