Phishing attacks in the US soared in 2007 as £1.6bn was lost to these attacks, according to a survey by Gartner.
The survey found that 3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, compared with 2.3 million the year before.
And the attacks were more successful in 2007 than they were in the previous two years, the survey found. Of consumers who received phishing emails in 2007, 3.3% said they lost money because of the attack, compared with 2.3% who lost money in 2006, and 2.9% in 2005, according to similar Gartner surveys during those years.
"Phishing attacks are becoming more surreptitious and are often designed to drop malware that steals user credentials and sensitive information from consumer desktops," said Avivah Litan, vice president and distinguished analyst at Gartner.
“Anti-phishing detection and prevention solutions are available but not utilised widely enough to stop the damage. These must be deployed and combined with solutions that also proactively detect and stop malware-based attacks."
Litan said customer-facing organisations could not expect their customers' desktops to be protected from malicious code, nor from email and/or advertising traps that lure innocent consumers to websites that turn out to be infection points.
"In fact, 11% of online adults say they don't use any security software (such as antivirus or anti-spyware products) on their desktop, and another 45% only use what they can get for free."
The average financial loss per incident declined to £443 from £622 lost on average in 2006 (with a median loss of £100 in 2007), but because there were more victims a bigger overall figure was lost to phishing this yeras, according to surveyed consumers.
On the plus said, the amounts that consumers were able to recover also increased. Some 1.6 million adults recovered about 64% of their losses in 2007, up from the 54% that 1.5 million adults recovered in 2006.
PayPal and eBay continue to be the most-spoofed brands, but phishing attacks increasingly employ devious social engineering attacks, impersonating, for example, electronic greeting cards, charities and foreign businesses.
Phishing and malware attacks would continue to increase into 2009 because it was still a lucrative business for the perpetrators, and advertising networks will be used to deliver up to 30% of malware that lands on consumer desktops, said Gartner.
The analyst group said there was no easy way out of this dilemma unless email providers have incentives to invest in solutions to keep phishing emails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers have incentives to keep malware from being planted on their websites to reach unsuspecting consumers.
"Enterprises should at least protect their own brands from being used in phishing attacks by subscribing to an anti-phishing solution," Ms. Litan said. "Similarly, companies should subscribe to anti-malware services that detect malware targeting the firm's customers, and prevent it from spreading across consumer desktops. Custodians of consumer financial accounts must protect those accounts through fraud prevention, stronger user authentication and transaction verification."