recent posts

Social Networking Accounts Prized By Cybercrooks
RedBox Warns of Credit Card Skimmers
Opera Updates and a Black Tuesday Preview
Beware Targeted Data-Stealing Tax Scam
Consumers Report $239 Million Lost To Cyber Fraud In '07

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Report: Phishers Hooking Fewer (But Fatter) Victims

First the good news: While the number of phishing attacks continues to increase, fewer victims report falling for the scams than a year ago.

The bad news: Those who did get hooked by a phishing e-mail lost a lot more than the average 2005 phishing victim, and had a harder time recovering that money to boot.

The findings come from a study released today by Gartner Inc., a report that includes data from some 5,000 adults who took the company's online survey in August. According to Gartner, the average loss per phishing victim nearly quintupled from $257 in 2005 to $1,244 in 2006.

Perhaps more importantly from the victims' perspective, the average percentage that victims were able to recover dropped from 80 percent in 2005 to about 54 percent in 2006. Gartner estimates that at least part of that shift is due to a change in tactics by the scam artists. While financial institutions remain the top targets of phishing attacks, fraudsters are using less-conventional or fictitious brands -- such as made up sweepstakes contests -- that have weaker or non-existent fraud controls, the report posits.

The top two targeted institutions from the Gartner survey results were eBay and PayPal, echoing similar findings this week in a study released by Phishtank, a community-based anti-phishing network.

Gartner said that bank and credit card company refunds to consumers who lose money because of phishing attacks are declining as a percentage of total refunds, while reimbursements from non-financial services companies such as PayPal and retailers, are growing. According to Phishtank, some 1,493 distinct scam sites impersonated PayPal in the month of October alone, with another 1,210 phishing sites targeting eBay.

As major financial institutions have embraced a variety of commercial anti-phishing technologies -- from site take-down services to back-end fraud detection -- many phishers have found it more expedient to expand the scam playing field. According to a recent report from the Anti-Phishing Working Group, phishing e-mails and Web sites targeted at least 148 different brands in August, up from just 84 in January.

"When we first started seeing phishing attacks a few years back people kept saying this was a problem that was going to die down, go away," said Gartner analyst Avivah Litan. "Instead what they're doing is becoming more elusive. Instead of just saying here, come give us your credit card number, they try to lure people with $250 gift cards at Target if they sign up for a sweepstakes right away. The problem is that unlike with the banks, victims have a much harder time getting their money back when they fall for these types of scams."

By Brian Krebs |  November 9, 2006; 11:41 AM ET Fraud , Latest Warnings , Misc. , Safety Tips
Previous: 'Supercerts' Aim to Highlight Legit Web Sites | Next: Microsoft to Issue Six Security Patches Next Week

Comments

Please email us to report offensive comments.



Talk about chutspa(sp?). I revceived a Phishing email putatively from the National Credit Union Administration (NCUA), a governement agency.

Posted by: dbfrei | November 9, 2006 1:22 PM

I just received what I am positive is a phising email from "PayPal" this morning. Is there a place where I can report this?

Posted by: Julia | November 9, 2006 1:39 PM

Julia -- for starters, you might try abuse@paypal.com, and Phishtank.com

Posted by: Bk | November 9, 2006 2:39 PM

What ever happened to PICKING UP THE PHONE to verify money matters?

.

Posted by: J. Warren | November 9, 2006 3:18 PM

Another good place to report Phishing E-mails is at Castlecops' Fried Phish
http://www.castlecops.com/pirt

Your report is carefully analyzed and data fed to many different agencies.

Posted by: PhishKiller | November 9, 2006 10:54 PM

One of the better features of Gmail is that aside from reporting ordinary spam, users can now also specifically nail phishing attacks. Presumably, such measures on the part of email clients will help to reduce these attacks, including ones directed to persons who unfortunately don't bother to report them....

Henri

Posted by: mhenriday | November 10, 2006 11:51 AM

If I report receiving a phishing e-mail to spoof@ebay.com or spoof@paypal.com do they really do anything to shet the sites down? Or do they just refer the sites to some underfunded government agency?

Posted by: rsimpson@141.com | November 10, 2006 12:50 PM

They DO take that stuff seriously, but they probably get hundreds of forwarded phishing scam emails a day.

Rsimpson, thanks for reading and for leaving your comment, but you might consider leaving your e-mail address out of the sig next time. Site-scraping software used by spammers will snag that e-mail and before you know it you'll be getting even more spam (and phishing e-mails).

Posted by: Bk | November 10, 2006 4:24 PM

IS THERE ANY STEPS I CAN TAKE WITH MY BANK TO STOP UNAUTHORIZED MONTHLY DEDUCTIONS? WHAT IF I JUST CANCEL MY ACCOUNT.I BELIEVE I WAS SCAMMED AND HAVE HAD OVER 400 DOLLARS DEDUCTED FROM MY ACCOUNT. THE PHONE NUMBER I GOT FROM MY BANK WASN'T A VALID NUMBER. WHAT ARE THE STEPS I SHOULD TAKE?

Posted by: BHML | November 11, 2006 1:13 AM

rsimpson - The high number of reports is why it's better to report to Phishtank and Castlecops - multiple reports are eliminated, and the responsible party gets a single report which is usually promptly dealt with.

I usually report them through SpamCop at the same time - some abuse desks are equipped to respond to the SpamCop reports quickly and do site takedowns.

Posted by: PhishKiller | November 11, 2006 7:29 PM

If an offer or a threat (e.g., "Your account is in jeopardy if you don't click on this link.") seems to come from a reputable online company (Ebay, Paypal, your bank, etc.) do _not_ click on the link. It's almost certainly a fraudulent site. If you're worried, call the company. I called PayPal once to ascertain that my account hadn't been tampered with, and to cancel it, just in case. The PayPal rep was very helpful. As for requests for your financial or personal information or password, etc., those are guaranteed frauds. Reputable companies don't ask for those things via email. Nothing new in all that, and I suppose I'm preaching to the choir. (sigh)

Posted by: jc | November 12, 2006 10:11 AM

The comments to this entry are closed.

 
 

©  The Washington Post Company