Phishing, a cyclical crime that typically dwindles in the winter, has started to buck that trend as the weak economy increases the supply of both perpetrators and victims.
In a presentation last month, the chief information security officer of eBay Inc.'s PayPal, Michael Barrett, showed a slide for 2008 with the usual trend — a large proportion of phish e-mails targeting his company's brand from May to August — but with an unusual feature, a brief spike at yearend end.
The cause? "We're not certain," he said but suggested that it indicates new blood in the phishing work force.
"There's some evidence that it was a series of newbies who had come in and were trying phishing kits that were old," Barrett said, "because at that period … we were seeing more old, poorly engineered phishing e-mails." More up-to-date phishers tend to copy the code and layout of e-mails sent by whatever company they are impersonating, reducing the spelling errors and other telltale signs of forgery that were more common in the past, he said.
Barrett did not speculate on the reasons behind this apparent influx of phishers. "It's actually quite a difficult question to get into," he said, "and it comes down to: What's the dynamic of what's going on in the black market at any given time, and it gets very involved. … It's very difficult to actually prove."
Frederick Felman, the chief marketing officer at MarkMonitor Inc., a San Francisco company that offers phishing protection services, said that phishers are typically less active in the winter because "it's just not as profitable for them." Consumers tend to take vacations during the winter months, he noted. "People aren't at work as much — that's where people get nailed."
Victims are snared at work because they have better e-mail access there than at home, he said, and because they have more distractions and are less attentive to warning signs that a particular e-mail may be a scam.
But people are also vulnerable at home, especially in the wake of layoffs and pay cuts. People are spending more time at home, either jobless or because they cannot afford vacations, he said. This is an ideal situation for cybercrime, he said.
"My expectation is, there will be more white-collar crime, including phishing, in a down economy," Felman said. "Violent crime seems to go down and white-collar crime goes up, and whether they're willing or unwilling participants in the crime, people have more time to surf the Internet and do good or bad things on the Internet … as there's more idle hands, there will be more bad stuff occurring."
Another factor is the continuing uncertainty about many big companies, he said. Phishers use big news events, such as bank failures or the presidential election, to catch the attention of potential victims. Since the economy is in trouble, "there's a bigger opportunity for people to capitalize on that confusion, and I think you'll see increased phishing attacks this year," Felman said.
Avivah Litan, a vice president and research director at the research company Gartner Inc., said that online fraud tends to go hand-in-hand with economic downturns.
"We've seen, in every single recession, a spike in cybercrime of one sort or another," she said.
And though a lot of new phishers are using older techniques, she said, the veterans are still trying new techniques against which banks have fewer defenses.
"There's more e-mail sent out than ever, and a lot of it is these amateur kits, but some of it is this really sophisticated stuff" such as scams targeting the people in charge of corporate accounts, Litan said.
Bank defenses are holding against the influx of new attacks, she said. "More people are losing money than ever, but less money in the aggregate is being stolen" because banks and vendors are "able to take these attacks down very quickly."