Phishing Attacks Surge Amid Recession

A new Gartner study shows the downturn has brought on a new wave of Web scams, with PayPal, eBay, and BofA customers the biggest targets for fraud

The latest evidence that economic woe is leaving more Americans vulnerable to Internet fraud came from an Apr. 14 report from Gartner. More than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008, a 39.8% increase from a year earlier, according to the new Gartner (IT) study. "Phishers are preying on the bad economy," says Avivah Litan, a security analyst at Gartner.

Not only that, fraudsters are also getting smarter about using what's known as social engineering to induce people to reveal sensitive information.

In a phishing scam, a consumer typically receives a spam e-mail message that looks like it was sent from a respected organization such as a bank. Those messages often ask consumers to click on a link to update account information or to view special promotions. When the consumer clicks the link, he is redirected to a fake Web site that requests personal information like user name, passwords, or credit-card numbers that are then collected to carry out identity theft.

Financial Collapse, Phishing Boom

Gartner's information squares with a separate report recently issued by security firm Cyveillance, which monitors the Internet for phishing attacks on behalf of enterprise clients. There was a spike in phishing attacks in September and October, Cyveillance says. "We believe there's a good chance that spike was related to the financial collapse, although there's no way to prove it," says James Brooks, director of product management at Cyveillance. Brooks says that phishers are very opportunistic and tend to take advantage of events in the news like the fall of the stock market.

In 2008, about 80% of the online adult population had received e-mail that appeared to be part of a phishing attack, up from 41% in 2004, according to the Gartner report. Of those who received spam messages, about 4.26% said they lost money to attackers. A 4% response rate is considered extremely successful in e-mail marketing campaigns, says Litan. The response rate is typically closer to 1.5%. This suggests that people behind these scams are expert manipulators, she says.

This report found that eBay (EBAY) subsidiary PayPal was the single most attacked brand, as in prior years. The second most popular phishing attack was spam e-mail related to lotteries and other offers of prizes. Ranking third was eBay itself, followed by all banks combined. Representatives of eBay didn't immediately respond to a request for comment.

BofA, Big Target

The report says that Bank of America (BAC) was, by a wide margin, the most attacked bank brand. Because Bank of America is the largest domestic bank, with the largest number of accounts, it's a bigger target for phishers, Litan says. "The criminals are much more efficient than the banks," says Litan, adding that banks are typically large organizations with many separate businesses that may not interact sufficiently. "The criminals are gangs who farm out the dirty work to contractors," she adds.

For its part, Bank of America says it takes many steps to help protect consumers. "We really have been a leader in adding extra layers of security and educating consumers," says Bank of America spokeswoman Betty Riess. For instance, consumers who bank online can choose a site key, essentially a symbol such as a cross or a car that they should see every time they go to Bank of America's Web site. Also, consumers get e-mail notifications each time something happens with their online accounts. Bank of America has also teamed up with groups such as the Anti-Phishing Working Group and the Online Trust Alliance to stay on top of the battle against fraud.

Branching Out

Phishers are also branching out beyond the tried-and-true e-commerce and financial sites. They're experimenting with barely known or fictitious brands such as lotteries, dating sites, and fake mortgage or pharmaceutical companies, which are considered easier targets. "Bank of America spends money taking down phishing attacks and will generally reimburse you if your account is taken over," Litan says. But it's much more difficult for consumers to fight fake lotteries and prize sites because they simply don't know who to contact for help.

The average consumer loss was $351 in 2008. Consumers recovered 56% of their losses and most of those costs were borne by consumer banks, PayPal, and other financial-services providers, Gartner says. There were a number of reasons why consumers weren't able to recover funds. The most common was that victims assumed they would not be able to get their money back, so they didn't try. The second most common reason was because they could not locate the scammer, as might happen with a fake lottery or prize site.

During the second half of 2008, 159 brands were the first-time targets of phishing attacks. Since 2005 more than 2,000 brands have been attacked, according to the Cyveillance report.

The bottom line, says Gartner's Litan, is that phishers will target the brands that will bring them the biggest return. "The criminals aren't going to use these brands unless they're succeeding."

Before it's here, it's on the Bloomberg Terminal. LEARN MORE