Stamford (CT) - A report coming out of Gartner has pinned the cost of phishing attacks at $3.2 billion for the U.S. alone. There were 3.6 million adults who lost money in the time period between September 1, 2006 and August 31, 2007. That's up from only 2.3 million the year before, with 3.3% of those who received phishing emails saying they lost money because of it, up from only 2.3% in 2006 and 2.9% in 2005.
The attackers have stepped up their game. Avivah Litan, VP and "distinguished analyst" at Gartner, said, "Criminals have stepped up attacks on debit card and bank accounts, where back-end fraud detection systems are traditionally weaker than they are with credit card accounts."
Regarding the software side, Ms. Litan said, "Phishing attacks are becoming more surreptitious and are often designed to drop malware that steals user credentials and sensitive information from consumer desktops. Anti-phishing detection and prevention solutions are available but not utilized widely enough to stop the damage. These must be deployed and combined with solutions that also proactively detect and stop malware-based attacks." Gartner's report goes on to that 11% of online adults do not use any kind of security software, like anti-virus or anti-spyware products on their desktop. An impressive 45% state that they only use what they can get for free.
Gartner reports that the average dollar loss per incident in 2007 was $886, down from $1,244 in 2006. Of the total $3.2 billion loss, the amount consumers were able to recover in 2007 increased to 64% and 1.6 million adults, up from 54% in 2006 and 1.5 million adults. Despite the increase, Gartner is reporting that bank regulators appear to generally be in the dark about the danger and monetary loss from phishing attacks.
Banking regulators in the dark
A cited U.C. Berkeley Freedom of Information Act request, whereby Gartner and the university obtained information from FDIC (Federal Depositor Insurance Corporation) for all bank-reported fraud attacks between January 27, 2005 and May 30, 2007, showed a staggering find. The analysis indicated "spotty, unreliable and unstructured data reported by U.S. banks to the regulator. Just 451 unique incidents were reported in this period. The data quality was so poor that it was impossible to draw any conclusions from it other than that the regulatory reporting on fraud attacks is severely lacking."
Gartner predicts that phishing and malware attacks will increase through 2009 because it is so lucrative. Still, the questions remain, how lucrative are these markets? And why can't the authorities track them down?
No one knows for sure how much these companies and individuals are making right now. However, our own Wolfgang Gruener had the opportunity several years ago while working for a German magazine to interview a German mail-fraud mastermind. His interview uncovered the global aspect of the operation. More than 150 people were employed at that time, in dozens of countries around the world, none of them in the U.S. He also had an undisclosed number of "spam bots", computers that had been taken over with malware that does not render the machine ineffective or disabled, but rather it receives commands to execute from the mastermind's home computer. The end-user is still able to use their computer, and may be completely unaware of the illicit operations taking place right on their own machine, via their own Internet connection.
Gruener discovered there was a huge percentage of responders, which I think is most amazing. Of the 2.2 billion emails his operation sent out each month at that time, 1% of the people responded. The money making angle involved in the schemes of the day, similar to the Viagara and Canadian pharmacy schemes we see today, came from a 40% commission paid directly to the spammer from the legitimately purchased items by the spammed. In short, the attacker was brining in an estimated $80 million per month from 2.2 billion emails sent out, and approximately 22 million people going out each month to buy something his operation would lead them to.
Gartner believes that enterprise operations should subscribe to anti-malware services and take precautions to ensure that the data they're safeguarding against such attacks, is actually as protected and isolated as is reasonably possible. As for the home user, the best advice is to not respond to unsolicited emails. It's probably the best way to keep your money and not become another line item on a U.S. statistic of phishing victims.