Application security

Gartner: Targeted phishing attacks target the rich

Fraudsters are targeting phishing attacks at high wage-earners to steal large sums of money, according to new research.

The report, released yesterday by Gartner, shows cybercriminals are identifying wealthy targets, who are more likely to make transactions on the internet. People earning more than $100,000 per year are attacked more often than those receiving less money, according to the research.

On average, high earning people lost $4,362 in phishing scams - almost four times more than other victims, according to the findings.

The study found that the number of phishing attacks has doubled since 2004, with 109 million adults in the United States alone receiving a phishing email, up from 57 million two years ago. Financial losses from phishing scams this year have risen to about $2.8 billion - twice the amount lost in 2004.

According to the study, which surveyed 5,000 people in August, the average amount of money lost in a phishing scam jumped from $257 per victim to $1,244 in a year. However, the amount of money victims recovered from phishing attacks dropped to 54 percent, from 80 percent in 2005.

The research suggests that criminals are changing tactics and impersonating banks less often in their attacks, and thus increasingly posing as other retail brands, such as PayPal and eBay. As a result, refunds from financial institutions and credit card companies to victims have fallen, while reimbursements from non-financial organizations and other retailers are growing.

Avivah Litan, vice president and analyst at Gartner, said many of the recent browser upgrades, including Microsoft Internet Explorer 7 and Mozilla Firefox 2.0, are ineffective in protecting online users against phishing, and predicted attacks will continue to rise over the next few years.

"Cyber-criminals are starting to shift away from attacking online banks directly and are leveraging less conventional brands and using hard-to-detect social engineering methods to reap financial gains," she said. "Countermeasures such as phishing detection and take-down services deployed by banks and internet service providers are obviously not sufficiently widespread or effective. Many of the browser upgrades are still incomplete and immature in terms of protections afforded. For at least two more years, phishing attacks will continue to increase since it's still a lucrative business for the perpetrators."

In addition to the evidence showing criminals changing their approach and identifying wealthy targets, Litan said the fraudsters are moving their phishing sites more regularly and frequently changing the type of business they pose as to avoid detection.

"The anti-phishing measures some enterprises have put in place to protect their brand and their consumers are not working. Phishers are moving from site to site to launch their attacks more quickly than ever," she said. "The average life of phishing sites has gone from one week a couple years ago to about one hour in 2006. Within a year or so, phishing sites may be user specific — that is a single site will be set up to launch a phishing attack against a single user. It's no wonder the detection services can't keep up with these rapid criminal movements."


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.