Fraudsters hooking bigger phish

News by Fiona Raisbeck

Fraudsters are targeting their phishing attacks to high income earners and stealing larger sums of money, according to new research.

Fraudsters are targeting their phishing attacks to high income earners and stealing larger sums of money, according to new research.

The report, released yesterday by Gartner, shows cyber criminals are identifying wealthy targets, who are more likely to make transactions on the internet. The findings illustrate people earning more than $100,000 (£52,000) per year are attacked more often than those receiving less money. Moreover, on average, high earning people lost $4,362 (£2276) in phishing scams - almost four times more than other victims.

The study found that the number of phishing attacks has doubled since 2004, with 109 million adults - in the US alone - receiving a phishing email, up from 57 million two years ago. It also found that financial losses from phishing scams this year have risen to £1.5 billion - twice the amount lost in 2004.

According to the study, which surveyed 5000 people in August, the average amount of money lost in a phishing scam jumped from $257 (£234) per victim to $1,244 (£650) in a year. However, the amount of money victims recovered from phishing attacks dropped to 54 per cent, from 80 per cent in 2005.

The research suggests that criminals are changing tactics and impersonating banks less often in their attacks, and increasingly posing as other retail brands, such as PayPal and eBay. As a result refunds from financial institutions and credit card companies to victims have fallen, while reimbursements from non-financial organisations and other retailers are growing.

Avivah Litan, vice president and analyst at Gartner, believes many of the recent browser upgrades, including IE7 and Firefox 2.0, are ineffective in protecting online users against phishing, and predicts attacks will continue to rise over the next few years.

"Cyber-criminals are starting to shift away from attacking online banks directly, and are leveraging less conventional brands and using hard to detect social engineering methods to reap financial gains," she said.

"Countermeasures such as phishing detection and take-down services deployed by banks and internet service providers are obviously not sufficiently widespread or effective. Many of the browser upgrades are still incomplete and immature in terms of protections afforded. For at least two more years, phishing attacks will continue to increase since it's still a lucrative business for the perpetrators," she added.

In addition to the evidence showing criminals changing their approach and identifying wealthy targets, Litan says the fraudsters are moving their phishing sites more regularly and frequently changing the type of business they pose as to avoid detection.

She said: "The anti-phishing measures some enterprises have put in place to protect their brand and their consumers are not working. Phishers are moving from site to site to launch their attacks more quickly than ever.

"The average life of phishing sites has gone from one week a couple years ago to about one hour in 2006. Within a year or so, phishing sites may be user specific — that is a single site will be set up to launch a phishing attack against a single user. It's no wonder the detection services can't keep up with these rapid criminal movements."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews