Despite banks’ best efforts, more people are falling victim to phishing scams, according to research from Gartner Inc.
The number of people who said they lost money as a result of a phishing scam rose 43% from a year earlier, to 3.3% of survey respondents, according to the report, which was published Friday. The Stamford, Conn., market research company conducted an online survey of 5,000 U.S. adults in August.
“Attacks are more targeted,” said Avivah Litan, a vice president and research director at Gartner who wrote the report. “So it’s less obvious it’s a phishing attack.”
Modern phishing e-mails often use personal information, such as the name of a friend or employer, to better deceive their recipients.
One recent example was a September data theft from the online customer management software company Salesforce.com Inc. A phisher tricked a Salesforce employee into divulging a password, and then used it to gain access to databases and steal information on tens of thousands of customers.
That information included employer names and other information that was used to personalize the phishing e-mails that followed.
Although the number of victims is rising, the amount of money they are losing is declining, due in large part to banks’ efforts to detect scammers earlier, Ms. Litan said.
The average loss victims reported dropped 29%, to $866 in 2007 from the prior year, Ms. Litan’s survey found.
“Banks and other companies have put limits on how much you can transfer without raising a red flag,” she said. “There are tighter controls out there … it’s harder to get money out.”
But that is no reason to claim victory over the phishers, Ms. Litan said. “We haven’t made a dent in fighting phishing at all.”
Phishers are also favoring the theft of debit card numbers over credit card numbers because it is easier to get cash with debit cards, she said.
One of the most troubling trends she has noticed is the use of online advertising as a distribution tool for malicious software, she said. This could prove extremely disruptive for e-commerce if it leads consumers to stop trusting online ads.
“All of these new businesses are depending on online advertising,” Ms. Litan said. “The ad networks are really concerned about it.”
EMC Corp.’s RSA Security spotted a similar trend that exploits users’ trust of the online video site YouTube. RSA’s November online fraud report said it discovered an e-mail that directed people to a spoofed YouTube page.
It pretended to be unable to play the advertised video, tricking determined video fans into installing on their computers malicious software that claimed it could fix the problem.
The software in fact hijacked the users’ machines to help the criminals spread further phishing e-mails.
“The spoofed Web site is not an actual phishing site, but rather a means to deliver and install malware which would assist fraudsters in future attacks,” the report said.
The Anti-Phishing Working Group, a trade group that tracks phishing trends, also found that phishers had stepped up their efforts over the summer.
The group’s report for August, which was published last month, found that phishers had increased their efforts to steal passwords using keystroke-logging software. The number of unique keylogging programs it observed grew 35%, to 294 between May and August.
The group’s report also provided data suggesting that financial institutions are having some success with fighting back; sites that host phishing attacks are short-lived. In August, they were online for an average of 3.3 days, down from a June average of 3.8 days.
