Out-Law / Your Daily Need-To-Know

Phishing cost $1.2 billion in US last year, says Gartner

07 May 2004, 12:00 am

Around 57 million Americans have been subject to a phishing attack, where e-mails appearing to come from legitimate businesses are sent in an effort to fish for recipients' financial details, according to a new Gartner report. It claims that the fraudulent attacks cost US banks and credit card issuers around $1.2 billion last year.

Phishing occurs when a fraudster sends an e-mail that contains a link to a fraudulent web site where the users are asked to provide personal account information. In a practice known as spoofing, the e-mail and web site are usually disguised to appear to recipients as though they are from a trusted service provider, financial institution or on-line merchant.

Phishing attacks are not new, but are increasing at an alarming rate. Security firm MessageLabs has reported that in August 2003 it intercepted only 14 phishing e-mails, but by the end of January this year, this number had risen to 290,016.

According to the Gartner survey of 5,000 adult US internet users, a projected 30 million on-line adults believe they have definitely experienced a phishing attack, and another 27 million believe they have observed what looked like a phishing attack. Ninety-two percent of the known or suspected attacks appear to have taken place in the past year.

Gartner estimates that about 19% of those attacked, or nearly 11 million US adult internet users, have clicked on the link in a phishing attack e-mail. Moreover, 3% of those attacked, or an estimated 1.78 million adults, report giving phishers their financial or personal information.

"Financial institutions, internet service providers, and other service providers must take phishing seriously," said Avivah Litan, vice president and research director at Gartner. "These service providers should take action to apply solutions that dramatically minimise, if not eradicate, the threat, even if the service providers themselves are not direct targets. Eventually, all participants in internet commerce will be hurt by an erosion of consumer trust in on-line transactions if phishing attacks are not sharply reduced from current levels."

The police and other enforcement agencies clearly have a role to play here. The UK's National Hi-Tech Crime Unit announced last week that it had arrested its first phisher, and followed this with the arrest on Wednesday of twelve Eastern Europeans. The six men and six women were accused of laundering money stolen by means of phishing attacks.