The number of U.S. adults that are sure or think that they have received phishing e-mails has nearly doubled since 2004, according to a survey by Gartner, Inc. Financial losses stemming from phishing attacks have risen to more than $2.8 billion in 2006.
"The good news is that, this year, fewer people think they lost money to phishers, but when they did lose, they lost more," said Avivah Litan, vice president and distinguished analyst at Gartner. "The average loss per victim nearly quintupled between 2005 and 2006, and the thieves seem to be targeting higher-income earners who are also more likely to transact on the Internet."
According to the survey, approximately 109 million U.S. adults have received phishing e-mail attacks, up from 57 million U.S. adults in 2004. The average loss per victim has grown from $257 to $1,244 per victim in 2006. The average amount of money consumers recovered from phishing attacks in 2005 was 80%, but in 2006, recovery amounts dropped to 54%.
High-income adults earning more than $100,000 per year are more heavily attacked. This group reported receiving an average of 112 phishing e-mails in the past year versus 74 e-mails per consumers across all income brackets. The high-income adults lost on average $4,362, almost four times as much as other victims.
Phishing e-mails that reach consumers are impersonating banks less often, and other brands, such as PayPal and eBay, more often. Bank and credit card company refunds to consumers who lost money because of phishing attacks are declining as a percentage of total refunds, while refunds from non-financial services companies and retailers are growing as a percentage of total funds.
"Cyber-criminals are starting to shift away from attacking online banks directly, and they are leveraging less conventional brands and/or using hard to detect social engineering methods to reap financial gains," Litan said. "Countermeasures such as phishing detection and take-down services deployed by banks, Internet service providers and other service providers are obviously not sufficiently widespread or effective."
According to the Gartner survey of 5,000 online adults in August 2006, an estimated 24.4 million Americans have clicked on a phishing e-mail in 2006, up from approximately 11.9 million in 2005, while 3.5 million have given sensitive information to the phishers, up from 1.9 million adults last year.
Recent browser upgrades (such as with Microsoft's Internet Explorer and Mozilla's Firefox) will try and flag known phishing attack sites to consumers, but Gartner analysts said many attacks could still slip by.
"Many of the browser upgrades are still incomplete and immature in terms of protections afforded," Litan said. "For at least two more years, phishing attacks will continue to increase since it's still a lucrative business for the perpetrators."
The fear of phishing attacks is having a dramatic impact on non-solicited e-mails, as more adults delete e-mails if they don't know the person sending them. "Among respondents who say their trust in e-mail has been adversely affected by the recent spate of security-related incidents, 85% delete e-mails they don't trust without opening them first."
"The anti-phishing measures some enterprises have put in place to protect their brand and their consumers are not working," Litan said. "Phishers are moving from site to site to launch their attacks more quickly than ever. The average life of phishing sites has gone from one week a couple years ago to about one hour in 2006. Within a year or so, phishing sites may be user specific -- that is a single site will be set up to launch a phishing attack against a single user. It's no wonder the detection services can't keep up with these rapid criminal movements."