Analysts seem to agree that online “phishing” scams are a big problem, but they say it is evolving so rapidly that they cannot be sure just how big.
MasterCard International’s TowerGroup Inc. said in a report published this week that worldwide phishing losses this year would reach $137.1 million. Earlier forecasts have ranged from $100 million to more than $1 billion, though the larger figure included losses from additional frauds.
George Tubin, a senior analyst at Tower, said the emergence of new phishing techniques makes forecasting for 2005 difficult.
The standard phishing approach involves mass e-mails that appear to come from a bank, and invite customers to visit a fake Web site where they may end up revealing e-banking passwords and other personal information. More recent practices include setting up Web sites that claim to offer banking customers free online bill pay or even job opportunities if they submit personal information.
Some sites are surreptitiously installing keylogger programs on people’s home computers; these programs monitor all the keystrokes typed on the machine and later transmit the data to those who might use the information for criminal purposes.
“Without even knowing it, when people clicked on a link, they actually downloaded a keylogger on their PC, and when they went to an online bank site, this keylogger would log their strokes,” Mr. Tubin said. “That’s scary.”
TowerGroup, of Needham, Mass., estimated that phishing attacks would number 31,300 this year and 86,000 next year, and it said they will become increasingly sophisticated.
In July, the market research firm Financial Insights Inc., a unit of International Data Group Inc., said phishing losses this year would cost banks and consumers $100 million to $400 million. Gartner Inc. issued a report in May that said phishing, and other online frauds perpetrated against phishing victims, imposed losses of $1.2 billion.
Mr. Tubin said phishers are disguising themselves more aggressively, using others’ computers to host phishing Web sites and send e-mails.
Naftali Bennett, the chief executive of Cyota Inc., a New York vendor of anti-fraud services, said phishers are starting to prey on more banks and are becoming more prolific. He said one bank had been the target of 10 scams in August and 283 in October. “We’re seeing a sudden bombardment of a new bank that has been previously untouched,” he said.
One reason for the increase is that it is becoming easier to phish. Mr. Bennett said some criminals sell do-it-yourself kits online for $270, which included the logos of several large banks (they were not willing to accept payment by credit card).
He also noted that 59% of phishing Web sites are hosted on hijacked computers; his staff must frequently persuade unsuspecting people that their personal computers are being used to launch a multimillion-dollar scam, he said.
“Earlier this week we tracked down a hijacked computer at a school in Taiwan,” Mr. Bennett said. “It took us quite a while to explain who we are.”
Even after overcoming the language barrier and getting an employee of the school to help, Cyota’s tech team had trouble disabling the site, Mr. Bennett said.
“Finally we told her, ‘Pull the plug! Just pull the plug!’ And she did, and the Web site went down.”
