The percentage of people losing money to phishing attacks is higher than ever -- five million consumers in the United States fell victim during 2008, an increase of 40 percent over 2007, according to a new report
“You can't relax," Avivah Litan, vice president and distinguished analyst at Gartner and author of the report, told SCMagazineUS.com Wednesday. "You have to assume phishing emails are getting through. They are."
Gartner conducted a survey of 3,985 individuals in September 2008 to determine consumer phishing trends.
According to the survey, 4.3 percent of those who received phishing emails lost money from the scam (compared to three percent in 2005). Litan said that a four percent successful response rate is quite good, considering legitimate mass email marketing campaigns have a success rate of about 1.5 percent.
Attackers are getting better at what they do and are using every trick in the book, Litan said. Attacks have gotten more clever, preying on most major events, from tax season
to March Madness
, to the economic crisis
, Ryan White, product marketing manager for SSL certificate vendor VeriSign, told SCMagazineUS.com Wednesday.
Though the percentage of people losing out to phishing attacks rose, the survey also found that consumer losses due to phishing were actually lower than last year. The average consumer loss in 2008 was $351 per phishing incident, a 60 percent decrease from 2007. Litan attributed the drop to financial institutions getting better at fraud detection, and also because amateur cybercriminals do not go after big bucks, rather small amounts that are likely to go under the radar.
Litan said that based on what she has heard from clients, corporate losses due to phishing have increased as consumer losses have decreased. Some 70 percent of enterprises are using technologies such as email gateways that filter out spam and phishing, according to the report.
Many corporate account takeovers starts with phishing, Litan said. It can occur when staff members who manage money for a company fall for phishing attacks, which results in phishers obtaining the login credentials for corporate accounts.
Enterprises that keep customer accounts should consider implementing a site-authentication method, such as shared secret icons displayed to users upon login, knowledge-based authentication (which uses questions and answers to verify a user's identity), or trust seals, Litan said.
To avoid becoming a victim, consumers should look for “https” in the address bar, meaning a secure session is under way, when entering their personal confidential information, White said. Users also should look for trust marks and security seals to confirm a website's legitimacy.