Nov. 9, 2006 at 7:00 AM ET
Internet users who fell for phishing e-mails in the past year lost five times as much money as victims in the preceding 12 months and are far less likely to recover the stolen funds, according to a survey released Thursday by the Gartner security firm.
"People kept saying this problem will become manageable, but what surprises me is it's getting worse," said Gartner analyst Avivah Litan, who estimated that the phishers used personal data obtained through phony e-mails to steal $2.8 billion during the past several years.
Phishing, which emerged as a major Internet concern several years ago, involves a criminal creating an e-mail that masquerades as official correspondence from a name-brand bank or Web site. But the message is really a ruse designed to persuade recipients to click on a link in the e-mail, visit a Web page controlled by the criminal, and dupe consumers into divulging personal information.
You've probably been aware of phishing for several years now, and yet the irritating spammed fraud messages keep coming. There's a good reason: They still work and are becoming even more lucrative.
Despite dogged efforts by technology firms and financial institutions, phishers seem to be staying one step ahead.
Twice as many consumers reported receiving at least one phishing e-mail in the 12 months ending Aug. 30, 2006, compared to the previous year, the survey found. And twice as many said they clicked on a link in a phisher e-mail during the past year.
But Litan's most troubling finding is that the average loss per victim nearly quintupled since Gartner’s last survey, from $257 per incident to $1,244.
Victims also are having a tougher time recovering their losses. In the 2004-2005 survey, 80 percent of victims said they were able to get refunds for the stolen money, most often from their banks. In the most recent period, that number plummeted to 54 percent.
One reason for the decline is that phishers have moved away from posing as major banks in favor of more creative and elaborate e-mails, including fake sweepstakes messages. In one, a criminal tells recipients they have won the “Microsoft Sweepstakes Lottery International Programme.” Clicking on the enclosed link sometimes prompts "winners" to send money to the criminal using an unprotected wire service or Internet payment mechanism, which don’t have the same refund protections as credit card or online banking transactions.
There is some good news in Litan's report. The number of people who say they've lost money to phishers declined slightly -- albeit by an amount that's within her survey's margin of error of 3 percent.
Federal regulators have responded to the phishing problem, requiring this year that banks implement new security schemes to protect online banking customers. Bank of America was among the first to adopt procedures that go beyond a simple user name and password to gain access to online banking. Through its SiteKey initiative, consumers personalize their online bank homepage with a picture designed to help them identify the real bank site from any fake sites. Consumers must also answer additional personal questions, such as, "What high school did you graduate from?" before accessing their accounts.
But phishers are taking on that challenge. Last month, security firm Sestus Data Corp. reported on an elaborate look-alike e-mail designed to mimic Bank of America's SiteKey log-in screen. The link transported users who clicked on it to a Web page that asked them to enter the personal questions and answers they had previously entered.
Even with that information, criminals would have a hard time getting past Bank of America’s log-in screen. But they would have a good head start.
Antivirus firm F-Secure also reported last month that phishing has not slowed down. It found a thriving aftermarket for look-alike domain names like "Bankofameruca.com" or “chasebank.ru” that it said were being purchased by “phishing gangs.”
Financial institutions are still thrashing about trying to combat the problem, Litan said. Many call her firm for advice, flustered by the problem.
A difficult fix
"There is no easy way for them to solve it," she said. "Basically it requires them to tighten up the Internet and there is no easy way to do that."
There are two pieces to a phishing attack -- a lure and a trap. The lure, which is really just spam, comes in the form of a look-alike e-mail that implores recipients to click on an embedded link. Part two is a Web site controlled by a criminal that contains forms where consumers enter their personal information.
The attacks are effective because it's easy for e-mail and Web sites to masquerade as legitimate bank messages. In some cases, it's nearly impossible to tell the difference between the imposter and the real thing.
So far, attempts to slow the crime have largely focused on taking down phishing Web sites. Companies pay firms to scan the Internet for look-alike sites and have them removed as soon as possible. That's a challenge, given that many sites are hosted overseas, but there have been some successes.
Still, Litan said, the phishers are staying ahead in this game by time-sharing "botnets" of hacked computers and continually moving their Web sites around the Internet.
"Companies are putting in these detection services, spending all this money, but the attacks are still getting through," she said. "Phishers really know how to evade detection services. They are an elusive enemy."
Ultimately, she said, criminals will control so many hacked computers connected to the Internet that each phishing spam e-mail will have a link to its own unique Web site -- rendering takedown strategies completely ineffective.
Even the newest anti-phishing services, such as the detection feature included in new Web browsers, aren't terribly effective, Litan said. These work somewhat like antivirus or spam software, blocking known phishing e-mails from recipients’ in boxes, a procedure called "blacklisting." The software has some ability to recognize new threats, too. But similar to antivirus software, it has trouble keeping up with fast-changing attacks.
Instead, Litan believes banks and Internet providers will ultimately have to rely more on some kind of "white-list" procedure, which positively identifies legitimate e-mail from banks and other institutions and labels everything else as suspicious.
That might sound severe, but Litan believes electronic commerce is suffering in the current environment. She said consumers report spending about $2 billion less online this year over fears about electronic fraud.
"That's all money left on the table," she said, in addition to the money criminals are taking off the table for themselves.