The phish bit a lot harder in the past 12 months: According to new research by Gartner Group, phony Web pages and e-mails made to resemble legitimate company Websites accounted for much of the estimated $2.4 billion lost to security breaches in checking accounts.
These results help confirm what Gartner reported a month ago, when the research company estimated one of every five American Netizens was the target of a phishing attack, receiving one or another kind of e-mail or popup that turned out to be a phish rather than an actual Website.
Various reports have indicated recently that the most likely companies to be grafted for phishing scams are CitiBank, eBay, and PayPal. The Anti-Phishing Working Group, which monitors and advises about phishing attacks, also said recent months have seen a new kind of phishing technique: replacing the address bar at the top of a Web browser with a working fake, using JavaScript, and letting a phisher show completely fake URLs while taking the surfer to the spoofed site.
Gartner surveyed 5,000 American Netizens in April and determined about 1.98 million adult Netizens experienced online fraud in the past 12 months, for an average cost of $1,200 per victim.
Announcing the survey result, Gartner research director Avivah Litan said most aren't inside jobs but, rather, cases where the thieves stole account numbers and passwords to get into online accounts or telephone banking avenues.
"It will take time for the financial services industry to develop sophisticated back-end tools, but banks must implement stronger access controls to online and telephone banking systems," she said. "Shared-secret authentication is a good practical solution for strengthening access controls for online and telephone banking."
So is promoting technical standards to fight the phish, which is exactly what IBM, Tenet Healthcare, and Fidelity Investments have in mind by teaming up to create the Trusted Electronic Communications Forum, which is aimed at researching the best ways to fight the phish.
But they won't have it easy, if an earlier report from the Financial Services Technology Consortium is any indication. Formed earlier this year, the consortium produced a report saying phishing has four characteristics that make it highly challenging to put a complete stop to the crime.
"First, it is a species of fraud that has a sophisticated technology basis… Second, phishing is dynamic in nature," the report said. "Threat models are continuing to rapidly evolve, in a high-stakes match of parry and thrust. It can be expected that with every counter-measure introduced by the industry, sophisticated criminal gangs will proffer counter-counter measures.
"Third, phishing is likely organized and draws on talented criminals…," the report continued. "Fourth, phishing vulnerabilities and solutions have substantial infrastructure components… the policies and practices of [Internet service providers] and domain registrars affect the trajectory of the problem and the frequency of attack."
The FSTC report also said enforcement is extremely difficult, though not necessarily impossible – in part because phishing is readily moved to offshore points of origin, but also because single victims aren't exactly likely to attract law enforcement attention unless he or she is hit for a large-enough financial loss.
"[L]ike identity theft," the report said, "the dollar impact of any one loss is relatively low, and below the threshold of a serious crime. Only in the aggregate might there be substantial loss."
