More than 3.5 million US adults lost money to phishing scams and online identity theft in the 12 month period that ended in August, a 57% increase over the previous year, a Gartner fraud analyst said.
The bad news, said analyst Avivah Litan, didn't end there. About 3.3% of the 4,500 Americans polled in August said they had been victimised by a phishing attack and had lost money in the deal. In 2006, the figure was 2.3%.
And banking regulators are both "in the dark" and "asleep at the wheel," she noted.
In other words, phishing is far from ancient history. Even consumers familiar with the concept - and those, said Litan, remain a minority - are not necessarily immune from current scams. "Phishing is much more surreptitious, much more devious," she argued. "They're grabbing information from Facebook and MySpace and sending email like they're your friend. Then there's greeting cards and charities, both of which are up dramatically."
The practice hasn't gone unnoticed by other security experts, who have remarked - most notably about the Storm bot-building Trojan - that clever social engineering strategies are all the rage. The constantly changing cycle of new techniques simply makes it that much harder for consumers to recognise what's legitimate and what's illegal.
"It not obvious, like it used to be," Litan added, like with early phishing techniques that used bank-branded emails that claimed the recipient needed to enter her log-in information in the next 24 hours or be locked out of her account. "Now malware is being dropped from emails, or from advertisements on web pages, or from compromised websites. Click on a link in an ad, and even if you don't enter any information, you're still getting infected."
That broadening of the definition of "phishing" which once stood for bogus email that tried to dupe users into giving up their passwords, had Litan grasping for a new term. "Maybe it should be called 'malphish,' or 'phishware,' " she said.
Gartner's annual survey also uncovered other shifts in identity theft. For the first time, bank check and debit card account information dominated the target list of phishers. In 2007, 47% of those who lost money said it was through a debit or bank check card, while credit cards accounted for just 32%. The year before, debit and credit cards were essentially neck and neck.
"Criminals have stepped up attacks on debit card and bank accounts, where back-end fraud-detection systems are traditionally weaker than they are in credit card accounts," said Litan. "And there are so many ways to use a debit card, whether it's for fund transfers or purchases or [cash] advances."
Among the few bright spots in Gartner's report are a drop in the average dollar amount lost per phishing incident, and an increase in the percentage of losses recovered by victims.
The average amount lost fell in 2007 to US$886, down approximately 29% from the $1,244 average per incident in 2006. And more people - 1.6 million in 2007, compared with 1.5 million the year before - recovered more money, said Litan; the survey showed 2007's victims recovered 64% of their losses, up significantly from the 54% recouped in 2006.
Litan ascribed the average-loss drop to better controls by banks and credit card companies, including lower triggers in antifraud or account-locking measures, and she attributed the greater proportion of losses recovered to consumers' avoidance of payment vehicles that lack any recovery feature, such as Western Union and the now-defunct eGold.
But that silver lining is paper thin, Litan said. In fact, she painted a dark and gloomy picture of the future. "Frankly, regulators are asleep at the wheel on this. New regulations are coming into effect in 2008, but to me this looks just like the mortgage subprime crisis. They're just not looking at this head on."
As proof, Litan pointed out that Gartner, along with the University of California, Berkeley, had examined two-and-a-half years' worth of data acquired from the Federal Deposit Insurance Company through a Freedom of Information Act request. The data, said Litan, was spotty, unreliable and unstructured, and only 451 unique phishing incidents had been reported to the FDIC.
"The data quality was so poor that it was impossible to draw any conclusions from it other than that the regulatory reporting on fraud attacks is severely lacking," Litan concluded.
In the 12 months before August 2007, Gartner calculated, estimated phishing losses totalled $3.2 billion. That was up $500 million from $2.8 billion in 2006.
"How much money has to be lost before something's done?" Litan asked.