Consumers to lose $2.8B to phishers in 2006

Browser makers may have added new antiphishing features to their products in recent months, but the criminals are still gaining ground in their efforts to defraud U.S. consumers, according to the Gartner Inc. research firm.

Phishers have hit more victims with their online attacks, and while fewer people are losing money to phishers, successful attempts have been yielding bigger payoffs, said Avivah Litan, vice president and distinguished analyst at Gartner. "When they do succeeded, they're stealing five times more than they stole last year."

The average loss per phishing attack was US$1,244 this year, Litan said, up from $256. Gartner estimates that the total financial losses attributable to phishing will total $2.8 billion this year.

And users who are taken in by phishing scams are less likely to recover their money, Litan said. In 2005, 80 percent of victims got their money back. This year, that number dropped to 54 percent.

Gartner estimates that 3.5 million Americans will give up sensitive information to phishers in 2006 -- up from an estimated 1.9 million last year.

Although the recently released Internet Explorer 7 and Firefox 2.0 browsers came with new antiphishing features, Microsoft Corp. and Mozilla Corp. are still playing catch-up with the crooks.

"It's still too early to know how effective [these new antiphishing features] are, but certainly that technology is a couple of years too late," Litan said.

Phishing filters are not working because attackers are moving around their phishing Web sites and making it very difficult for antiphishing tools to tell the difference between a computer that is malicious and one that is simply unknown, she said.

A year ago, the average lifespan of a phisher's Web site was one week. Now it's just a few hours. "In the next year or two it will probably be one server per e-mail," Litan said. "They're impossible to catch and take down."

Antiphishing expert Paul Laudanski agrees that these attacks are on the rise. Part of the problem, he says, is the fact that Internet service providers and the companies being spoofed by phishers are not doing all they could to share information and track down the criminals.

Often companies are reluctant to share information for fear that it may lead to lawsuits, said Laudanski, owner of Computer Cops LLC and the leader of the Phishing Incident Reporting and Termination squad project.

"What we need, I believe, is free, open communication," he said. "The criminals are working together in this, but it's hard for us to work together."