Network News

X My Profile
View More Activity

Study: $3.2 Billion Lost to Phishing in 2007

U.S. consumers were scammed out of roughly $3.2 billion over the past year from phishing scams, a significant increase over last year, according to a survey released this week.

The estimate, produced by Stamford, Conn.-based research firm Gartner Inc., was based on a survey of 4,500 online adults. The findings indicate that despite a great deal of media attention to the phishing epidemic, the message still isn't getting through to a fairly constant percentage of Internet users.

From the survey, which examined consumer experiences with phishing attacks in the year ending Aug. 2007: "Of consumers who received phishing e-mails in 2007, 3.3 percent say they lost money because of the attack, compared with 2.3 percent who lost money in 2006, and 2.9 percent who did so in 2005, according to similar Gartner surveys during those years."

Three billion dollars may seem like a high number, but my suspicion is that if we were to include dollar losses from malicious software designed to steal usernames and passwords from infected machines, the loss figures would be far higher. While the Gartner study references the threat to financial and personal data from such malware, it doesn't appear that so-called "crimeware" was a focus of the questions put to consumers in the survey.

On the other hand, it's not clear it would have made much of a difference had Gartner asked a question about losses from malicious software. In my experience, a large percentage of people who have keystroke loggers and password stealing malware on their systems continue to use their PCs completely oblivious to the fact that criminals control their machines. Or even for those users who do discover and eliminate a spyware problem, fraud losses could continue as the scammers continue to use the information they were originally able to steal from the victim.

According to Gartner, the average dollar loss per incident declined to $886 from $1,244 in 2006 (with a median loss of $200 in 2007). Other data included in the survey reinforces the advice about using credit card vs. debit cards for online transactions. From the survey: "Of those consumers who lost money to phishing attacks, 47 percent said a debit or check card had been the payment method used when they lost money or had unauthorized charges made on their accounts. This was followed by 32 percent of respondents who listed a credit card as the payment method, and 24 percent who listed a bank account as the method (multiple responses were allowed)."

Still, the amounts that consumers were able to recover also increased. On average, an estimated 1.6 million phishing victims recovered about 64 percent of their individual losses in 2007, up from the 54 percent of losses recovered by 1.5 million adults in 2006.

The Gartner report also touches on a bit of a pet issue for Security Fix: The idea that reporting by banks about security incidents that may impact data about customers or employees is inconsistent and not terribly useful in helping us measure the true cost of online fraud. Earlier this year, Gartner analyst Avivah Litan and Chris Hoofnagle, a senior fellow with the University of California at Berkeley, submitted a Freedom of Information Act request to the Federal Deposit Insurance Corporation, requesting all bank-reported data on fraud attacks between Jan. 27, 2005, and May 30, 2007.

The information released by FDIC in response to the FOIA indicated spotty and inconsistent reporting by U.S. banks to the regulator (click the image above for an example). "The data quality was so poor that it was impossible to draw any conclusions from it other than that the regulatory reporting on fraud attacks is severely lacking," Litan said.

By Brian Krebs  |  December 19, 2007; 5:58 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple Patches Java, OS X and Safari 3 Flaws
Next: 'Pinch' Authors Pinched?


The phishing attacks that I see on my personal and client e-mail accounts just get better and better each day. IMHO, the ability to be anonymous and cover one's tracks via various Internet mechanisms has to be curtailed. I know that treads on thin ice when it comes to people's freedom of speech stuff in oppressive nations, but anonymity online breeds abuse -- in a major way.

Anybody know what percentage of their operating budgets financial institutions are allocating towards anti-fraud measures? And which financial institutions handle online fraud and the impact on the clients in the most efficient and client-friendly manner?

Posted by: C.B. | December 19, 2007 7:11 PM | Report abuse

I only use a bookmark or type in the address of my financial institutions directly. I receive regular email from these institutions noting that they never, ever send emails requesting verification. It's the only way to be safe

I read a WaPo article recently about the demise of checkbook mathetmatics. A consumer course for high school students would pay many rewards in the decades to follow.

Now, excuse me, but there's a Nigerian prince who wants to make me a millionaire. :)


Posted by: FairlingtonBlade | December 19, 2007 10:34 PM | Report abuse

C.B.> IMHO, the ability to be anonymous and cover one's tracks via various Internet mechanisms has to be curtailed.

The anonymity that enables phishing (i.e. large, distributed botnets) is not subject to policy.

Posted by: antibozo | December 20, 2007 4:18 AM | Report abuse

As FairlingtonBlade points out in his comment, the only way to be safe is to type in URLs. That, also, is subject to scam. There are scam sites that are one keystroke off from legitimate sites, so that if you dyslexically mistype a URL you can land on a fake site. Then when you are downloading something you think is safe, say Adobe Reader, you can end up with a key logger on your machine.

Posted by: ParanoidOne | December 20, 2007 10:06 AM | Report abuse

Of all the types of malware out there, a keylogger is my most pressing concern.

What software(s) will find and remove these programs? I am currently using Zone Labs Security Suite.


Posted by: SC | December 20, 2007 10:58 AM | Report abuse

Obviously prevention is the key here. From my experience, the problem seems to stem from a lack of awareness and critical thinking skills, which is all too common in our microwave mentality world. Throw in many that are too trusting or just plain gullible and the low hanging fruit is ripe for the picking.

It all starts with a secure computer. If that's compromised, it's not your computer anymore, but instead the bad guys! Game over! One of the most important defenses against malware is to use a limited user account (see below). Also, avoid peer-to-peer file sharing software (very risky, likely to compromise system) on the computer to be used for secure sites. Use a malware/ad blocking hosts file ( NEVER click links in e-mail!

When using secure web sites (banking, etc.):
- Close all other programs
- Delete all cookies
- Empty Temporary Internet Files
- Save secure websites to a bookmark and always use that bookmark
- Ensure the browser indicates a secure session (lock symbol)
- Check the websites security certificate
- Do not open another browser window or tab while using a secure session
- Print transactions for documentation as needed
- Use sites log off function, then close browser
- Delete cookies and empty temporary internet files again

Also, review your banking and credit card transactions often for any fraudulent activity and immediately report it.

The Importance of the Limited User, Revisited - Security Fix

Posted by: TJ | December 20, 2007 11:52 AM | Report abuse

For commenter SC:

ZoneAlarm also offers a free beta version of their ForceField product which claims to thwart key loggers. This is not currently included in their Security Suite, so you have to download it separately. ForceField sets up a virtual machine for your browser, also called a sandbox.

Posted by: ParanoidOne | December 20, 2007 2:53 PM | Report abuse

I would highly recommend SocketShield by Exploit Prevention Labs.

It warns you or all negative/positive links. For example when you google a term, it tells you whether the site is safe (green tick) or not (red cross).

There are free and paid-for versions.

I also recommend AVG Free Anti-Virus, ZoneAlarm free edition firewall, A Squared Anti-Malware (free), Spybot Search and Destroy (free) and Ad-Aware by Lavasoft (free).

All free.

Also, keep backing up your data, use encryption and remember to keep creating restore points for Windows XP.

Posted by: Peter | December 29, 2007 4:36 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company