Survey: Consumers Lost $3.2 Billion to Phishing Attacks in 2007

Some 3.6 million U.S. adults were victims of phishing attacks in the 12 months ending in August, losing an average of $886 apiece for an estimated total of $3.2 billion, according to a survey of more than 4,500 online users sponsored by Gartner Inc. Gartner, a technology research firm based in Stamford, Conn., also says fraudsters increasingly are targeting debit card accounts, and that bank and government efforts to control phishing-related fraud, while improving in some respects, are still inadequate. There is some good news in the survey. The average loss per incident declined 29% from $1,244 last year. “The average loss is down because of more bank protections,” Gartner analyst Avivah Litan tells Digital Transactions News. Consumers also made greater recoveries. An estimated 1.6 million adults recovered 64% of their losses in 2007 compared with a 54% recovery rate for 1.5 million adults in 2006. Forty-three percent of respondents in the 2007 survey cited banks as the source of their recoveries followed by eBay Inc.'s PayPal payments subsidiary, 25%; eBay itself, 20%; and credit card companies, 15%. Brokerage firms, merchants or stores, and unspecified entities accounted for the rest. Phishing, which in its most basic form is an e-mail that attempts to get the recipient to divulge personal and financial information that the sender can use fraudulently, is still on the rise despite efforts by banks, bank regulators, and other industry players to control it. The number of online adults who definitely and/or think they received a phishing attack e-mail rose 118% in three years from 57 million in 2004 to 124 million in 2007, according to Gartner. Fourteen percent more adults definitely received, or think they received, phishing e-mails in 2007 when compared to 2006. More attacks were successful in 2007 than in the previous two years, partly because fraudsters are getting better at targeting individuals, Litan says. In 2007, 3.3% of consumers who received a phishing e-mail say they lost money because of the attack, compared with 2.3% in 2006 and 2.9% in 2005, according to similar Gartner surveys done in those years. Fraudsters increasingly went after debit card accounts rather than credit card accounts or other online payment systems such as PayPal. That's because of weaker fraud protections for deposit accounts than credit card accounts, according to Litan. Of those respondents who lost money to phishing attacks, 47% said a debit or check card had been the payment method used when they lost money or had unauthorized charges made on their accounts, followed by 32% who listed a credit card as the payment method. Some 24% listed a bank account as the method, the report says. Gartner allowed multiple responses. Fraudsters are now targeting users, and their online friends, of social-networking Web sites such as FaceBook, Litan says. Others are “spearphishing” by getting some information about targeted victims ahead of time, making it harder for victims to discern an e-mail is fraudulent. Still others are sending what Litan calls “social-engineering” e-mails such as electronic greeting cards that the recipient assumes are from a friendly party. Phishers have ramped up their technology, sending more and more malicious spy software, or malware, which implants itself on a victim's computer when an e-mail is opened or the recipient clicks on a link. Malware, including so-called man-in-the-middle software, can monitor a victim's keystrokes or even enable the send to move funds out of bank accounts unbeknownst to the consumer or user until it's too late. According to the survey report, “Although consumers are not able to report on malware attacks (because they don't typically see or know about them), Gartner has learned from several security companies that malware … delivered to consumer desktops, often through phishing e-mails, is exponentially increasing. For example, in October 2007, Cyveillance, an anti-phishing and anti-malware service, discovered four times more unique malware attacks?or 101,300 attacks?delivered via the Web than traditional phishing attacks, which numbered 28,533.” Litan says that while banks have beefed up the security of their electronic-banking channels because of stricter Federal Financial Institutions Examination Council guidelines, the fraudsters are still one step ahead. In addition, bank regulators are “in the dark,” according to the report, about the true extent of fraud because of incomplete and inconsistent fraud reporting by banks. Consumers share some of the blame, too. “Eleven percent of online adults say they don't use any security software (that is, anti-virus, anti-spyware products) on their desktops, and another 45% use only what they can get for free,” the report says. Research firm Synovate provided the randomly selected sample of 4,517 U.S. adult online users for the study, which was conducted online. The results have a margin of error of plus or minus 1.5% at the 95% confidence level for responses from all users; answers with fewer responses have a larger error margin.