Phishing continues to show off-the-chart growth, with few signs of slowing down, according to two market studies published this week.
The number of U.S. adults who have received phishing emails has nearly doubled since 2004, from 57 million to 109 million, according to a study from Gartner Inc. released yesterday. Financial losses stemming from phishing attacks have risen to more than $2.8 billion, the research firm says.
A separate report issued earlier this week by the U.K.'s Association of Payment and Clearing Services (APACS) confirms Gartner's conclusions. In the U.K., the number of reported phishing incidents has skyrocketed from 312 in the first half of 2005 to 5,059 in the first half of 2006.
"The good news is that, this year, fewer people think they lost money to phishers, but when they did lose, they lost more," said Avivah Litan, vice president and distinguished analyst at Gartner. "The average loss per victim nearly quintupled between 2005 and 2006."
Phishers prefer to attack high-income adults earning more than $100,000 per year, according to the Gartner study. Those with six-figure incomes reported receiving an average of 112 phishing emails in the past year, compared to an average of 74 across all income brackets, Gartner says. High-income adults also lost more money from phishing attacks: an average of $4,362, almost four times as much as other victims, the research firm says.
Most of the attacks over the past year have been targeted at online banking customers. According to the APACS study, U.K losses from phishing were approximately $27.7 million in the first half of 2005; that figure rose to almost $43 million in the first half of 2006.
And the attacks are becoming more creative, Litan says. "Cyber-criminals are starting to shift away from attacking online banks directly, and they are leveraging less conventional brands and/or using hard-to-detect social engineering methods to reap financial gains," she says. For example, many attackers are impersonating other entities that use banking information, such as PayPal and eBay, she says.
Phishing defenses are getting better, but they still aren't stopping the attacks, Litan says. "Countermeasures such as phishing detection and take-down services deployed by banks, ISPs, and other service providers are obviously not sufficiently widespread or effective," she observes.
Upgrades to browsers such as Microsoft's Internet Explorer and Mozilla's Firefox haven't helped much, either. "Many of the browser upgrades are still incomplete and immature in terms of protections afforded," Litan says. "For at least two more years, phishing attacks will continue to increase, since it’s still a lucrative business for the perpetrators."
And enterprises will find these attacks difficult to stop, Litan warns. "The anti-phishing measures some enterprises have put in place to protect their brand and their consumers are not working. Phishers are moving from site to site to launch their attacks more quickly than ever. The average life of phishing sites has gone from one week a couple years ago to about one hour in 2006.
"Within a year or so, phishing sites may be user specific -- that is, a single site will be set up to launch a phishing attack against a single user. It’s no wonder the detection services can’t keep up with these rapid criminal movements."
Both APACS and Gartner said the most effecive means of preventing phishing losses is to teach users not to open emails from untrusted sources. APACS also advises to consumers to type in their URLs, rather than using links, and to shop at SSL-enabled sites.