Victims of phishing scams in the United States lost $3.2 billion during a 12-month period ending in August, and the number of people on the receiving end of phishing emails has more than doubled over the past three years, according to a report from Gartner.
The annual survey, based on responses from 4,500 online adults, estimated that 124 million people saw phishing emails in their inboxes during the 12 months covered – more than doubling the 57 million email users targeted by the scams during 2004.
The average respondent received about 80 phishing emails during the survey period.
Written by Avivah Litan, Gartner vice president and research director, the report disclosed that 3.3 percent of scam recipients – or 3.6 million people – lost money because of the attacks, compared with 2.3 percent in last year's survey.
Although the Gartner survey paints a gloomy picture of growth in the volume and sophistication of phishing attacks, it does offer some hope to besieged consumers. The average dollar amount lost per incident declined to $886 this year, down from $1,244 lost on average in 2006.
Gartner attributed the decline in average dollar amount lost per incident to the increased use of fraud-detection systems.
Meanwhile, the amount recovered by victimized consumers has increased significantly. Gartner reported that 1.6 million adults recovered 65 percent of their losses during the latest survey period, compared with 54 percent recovered by 1.5 million phishing email recipients in 2006.
The improvement in loss-recovery was due in part to the declining use of payment tools that do not facilitate refunds, according to Gartner.
“Popular sites like eBay are doing a good job of warning consumers not to use final-payment mechanisms that make it impossible to recover losses,” Litan told SCMagazineUS.com.
The report also noted that phishing attacks most frequently try to compromise debit card accounts, which suffered from phishing scams more than credit card and PayPal accounts. The reason: anti-fraud defenses for debit cards tend to be weaker than those for credit cards.
Litan predicted that phishing attacks will continue to escalate through 2009, at which point up to one-third of malware is expected to be delivered to consumer desktops through online advertisements.
The report was highly critical of the capabilities of financial regulators to measure the damage from phishing. Working with data obtained by the University of California, Berkeley, in a Freedom of Information Act request to the FDIC (Federal Deposit Insurance Corporation), Gartner analyzed all bank-reported data on fraud between January 2005 and May 2007. Gartner branded the data provided by regulators as “spotty, unreliable and unstructured.”
“The data quality was so poor that it was impossible to draw any conclusions from it, other than the regulatory reporting on fraud attacks is severely lacking,” Litan stated in the report.