Study: $3.2 Billion Lost to Phishing in 2007
U.S. consumers were scammed out of roughly $3.2 billion over the past year from phishing scams, a significant increase over last year, according to a survey released this week.
The estimate, produced by Stamford, Conn.-based research firm Gartner Inc., was based on a survey of 4,500 online adults. The findings indicate that despite a great deal of media attention to the phishing epidemic, the message still isn't getting through to a fairly constant percentage of Internet users.
From the survey, which examined consumer experiences with phishing attacks in the year ending Aug. 2007: "Of consumers who received phishing e-mails in 2007, 3.3 percent say they lost money because of the attack, compared with 2.3 percent who lost money in 2006, and 2.9 percent who did so in 2005, according to similar Gartner surveys during those years."
Three billion dollars may seem like a high number, but my suspicion is that if we were to include dollar losses from malicious software designed to steal usernames and passwords from infected machines, the loss figures would be far higher. While the Gartner study references the threat to financial and personal data from such malware, it doesn't appear that so-called "crimeware" was a focus of the questions put to consumers in the survey.
On the other hand, it's not clear it would have made much of a difference had Gartner asked a question about losses from malicious software. In my experience, a large percentage of people who have keystroke loggers and password stealing malware on their systems continue to use their PCs completely oblivious to the fact that criminals control their machines. Or even for those users who do discover and eliminate a spyware problem, fraud losses could continue as the scammers continue to use the information they were originally able to steal from the victim.
According to Gartner, the average dollar loss per incident declined to $886 from $1,244 in 2006 (with a median loss of $200 in 2007). Other data included in the survey reinforces the advice about using credit card vs. debit cards for online transactions. From the survey: "Of those consumers who lost money to phishing attacks, 47 percent said a debit or check card had been the payment method used when they lost money or had unauthorized charges made on their accounts. This was followed by 32 percent of respondents who listed a credit card as the payment method, and 24 percent who listed a bank account as the method (multiple responses were allowed)."
Still, the amounts that consumers were able to recover also increased. On average, an estimated 1.6 million phishing victims recovered about 64 percent of their individual losses in 2007, up from the 54 percent of losses recovered by 1.5 million adults in 2006.
The Gartner report also touches on a bit of a pet issue for Security Fix: The idea that reporting by banks about security incidents that may impact data about customers or employees is inconsistent and not terribly useful in helping us measure the true cost of online fraud. Earlier this year, Gartner analyst Avivah Litan and Chris Hoofnagle, a senior fellow with the University of California at Berkeley, submitted a Freedom of Information Act request to the Federal Deposit Insurance Corporation, requesting all bank-reported data on fraud attacks between Jan. 27, 2005, and May 30, 2007.
The information released by FDIC in response to the FOIA indicated spotty and inconsistent reporting by U.S. banks to the regulator (click the image above for an example). "The data quality was so poor that it was impossible to draw any conclusions from it other than that the regulatory reporting on fraud attacks is severely lacking," Litan said.
Posted by: C.B. | December 19, 2007 7:11 PM | Report abuse
Posted by: FairlingtonBlade | December 19, 2007 10:34 PM | Report abuse
Posted by: antibozo | December 20, 2007 4:18 AM | Report abuse
Posted by: ParanoidOne | December 20, 2007 10:06 AM | Report abuse
Posted by: SC | December 20, 2007 10:58 AM | Report abuse
Posted by: TJ | December 20, 2007 11:52 AM | Report abuse
Posted by: ParanoidOne | December 20, 2007 2:53 PM | Report abuse
Posted by: Peter | December 29, 2007 4:36 PM | Report abuse
The comments to this entry are closed.