A Gartner survey shows phishing attacks against consumers in the United States have been more successful this year than last. The good news is that consumers have been able to recover their losses from phishing a bit more than they did in the past.
An online survey of 4,500 adults -- said to be representative of the U.S. population -- showed 3.3% of them lost money because of a phishing attack, compared with 2.3% who lost money in 2006 or 2.9% in 2005, according to Gartner. The average dollar loss per incident declined this year to US$886 from $1,244 on average in 2006. But because there were more victims, the overall loss to phishing was higher.
By extrapolating the numbers out to the entire U.S. population, Gartner says it appears that 3.6 million adults lost $3.2 billion to phishing attacks in the 12 months ending in August 2007.
The good news is that these phishing victims are recovering the lost money more often that they did in the past, thanks to greater help from banks and PayPal, says Gartner analyst Avivah Litan. "There were more victims but they're getting more of their money back."
Pulling out the numbers to represent the United States as a whole, the Gartner survey shows some 1.6 million adults recovered about 64% of their losses in 2007, up from 54% that the 1.5 million adults recovered in 2006. PayPal and eBay continue to be "the most-spoofed brands," the Gartner survey says.
Litan acknowledges it's not clear exactly why or how banks and PayPal, eBay's financial funds-transfer service, have become more proactive about assisting phishing victims, but the survey suggests it was a trend this year.
Another trend seen is that attackers are more eager to get hold of debit and check cards than credit cards because there are less protections for them and they're harder to catch, says Litan. That trend also dovetails with general consumer adoption and use of debit cards in greater numbers over the past few years.
In the Gartner survey this year, almost half the respondents said a debit or check card has been the payment method they used when they lost money, followed by 32% who were using a credit card and 24% who answered "bank account."
Litan said criminals using phishing for financial gain continue to broaden the nets, with many phishing attacks now "brandless," lacking specific bank names, or originating from nearly invisible links on Web pages of compromised sites.