Phishers Cast Bait for Bigger Catch
Americans are losing fewer dollars to online phishing schemes as a whole, but Internet-savvy, affluent PC users are being hit up for more money than ever, according to the latest Gartner research.
Based on a survey of 5,000 consumers in the United States, Gartner said users are being assaulted with more phishing attacks than ever before and are falling for more of the gimmicks. Yet at the same time, customers are losing less money to the schemes, due to a growing awareness of the online fraud model, as banks and other businesses spoofed in the attacks have put more tools in place to help identify suspicious behavior.
Gartner estimates that 109 million U.S. adults received phishing e-mails during the last 12 months, compared to only 57 million in 2004. An estimated 24.4 million Americans went on to click on phishing e-mails in 2006, up from approximately 11.9 million in 2005. The company said 3.5 million adults gave sensitive information to fraudsters in 2006, compared to only 1.9 million adults last year.
Based on the survey, the average loss per victim has grown from $257 to $1,244 per victim in 2006. Finding a refund for money lost to the schemes has also become harder: Consumers recovered approximately 80 percent of their cash in 2005, but are getting back an average of only 54 percent in 2006.
Awareness of phishing attacks does appear to be growing, according to Gartners survey, as 85 percent of those interviewed said they do not open or respond to unsolicited e-mails.
"Its a mixed bag. The bad news is volume is up, the good news is that the attacks are less financially successful and the worst news is that when the schemes are successful, theyre stealing five times more money than before," said Avivah Litan, an analyst at Gartner, based in Stamford. "There is more resistance from banks, so the operators are changing attacks and going to less convenient models that are harder to catch, and where it is harder to get your money back."
The analyst said that among the tactics being employed successfully by phishers are efforts that launch and shut down fraudulent Web sites very quickly, so that the attacks become moving targets that are harder to stop using conventional blacklists. The average life span of a phishing site has dropped to roughly 1 hour in 2006, whereas was approximately one week in 2004. Litan said attackers may have already begun to create customized phishing schemes that target specific people, specifically those who appear to have more money than the average Web user.
While attacks that try to impersonate bank Web sites have finally slowed, attacks against popular Web companies including eBay and its PayPal subsidiary continue to multiply. Banks and credit card companies are refunding fewer customer claims because of the lower number of attacks, while other companies, including financial services firms and retailers, are being forced to pay back more of their clients.
At the same time, phishers have discovered new ways to track down the personal information of wealthier Internet users, and are increasingly targeting those types of people with successdespite a higher level of Web usage and security awareness on the part of the well-to-do victims, Litan said.
The Gartner report said surveyed adults earning more than $100,000 per year had received an average of 112 phishing e-mails during the last 12 months, compared to an average of 74 e-mails per person across all income brackets. The high-income adults lost an average of $4,362 to phishing schemes, nearly four times more than other victims.
One reason that high-income users may be targeted more often is that they tend to participate in more online transactions than other people, such as using online financial services, trading systems and e-commerce sites. Scammers are also buying lists of rich customers from marketers, and using the credit card numbers given to customers with larger credit limits by popular credit card companies.
Phishers are also duping wealthy users via intricate social engineering schemes, Litan said. In one example she cited, fraudsters are acquiring the screen names of eBay users bidding on high-end automobiles and creating scams that offer the individuals a second chance to buy pricey cars that have already been sold, only to make off with the cash they transfer for deposits.
In all, Litan estimated that Web users have lost some $2.8 billion to phishing attempts since the attacks began appearing several years ago.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.