Gartner Says Number of Phishing Attacks on U.S. Consumers Increased 40 Percent in 2008

Fraudsters Focus on Higher-Volume and Lower-Value Phishing Attacks

STAMFORD, Conn., More than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008, a 39.8 percent increase over the number of victims a year earlier, according to Gartner, Inc.

In September of 2008, Gartner surveyed 3,985 U.S. online adults to determine the number of U.S. adults who have been victimized by phishing attacks, as well as the methods being used by criminals to execute these crimes.

The survey uncovered a trend toward higher-volume and lower-value attacks. Although the number of consumers who lost money to phishing attacks increased in 2008, average losses decreased. The average consumer loss in 2008 per phishing incident was $351, a 60 percent decrease from the year before.

Phishing attacks continue to exact financial damage on consumers and financial institutions. Consumers recovered 56 percent of their losses, meaning that most fraud costs were borne by consumer banks, PayPal and other financial service providers.

“The survey findings underline the fact that the war against phishing is far from over,” said Avivah Litan, vice president and distinguished analyst at Gartner. “Despite the rollout of a wide range of security measures designed to stem phishing, the truth is that many of them are not yet adopted widely enough to reverse this tide and, in many cases, their effectiveness is only partial.”

Ms. Litan said that measures targeted at stopping phishing include phishing e-mail blocking, safe browser surfing features, the use of site authentication to assure users they are on a legitimate Web site, the detection of phishing attacks, and the take-down of the criminal sites servicing those attacks.

Gartner recommends that enterprises continue to deploy and improve security solutions that protect accounts and customers against attacks. Enterprises that are custodians of customer accounts should also consider site authentication or assurance to confirm to a customer that he or she is on a legitimate Web site and not a spoof site. In addition, antiphishing services can proactively look for phishing attacks against named enterprises before they are launched and take them down on detection.

Enterprises providing e-mail services should investigate “secure” e-mail gateways that can block phishing e-mails from reaching customer in-boxes using a variety of methods from e-mail analysis to accepting only properly signed digital e-mail. End users can also increase their own protection by using safe-browsing tools that can provide a warning when accessing a known or suspected phishing site.

“None of the solutions are foolproof, however, and determined crooks will manage to get around them, so a layered security approach, involving all parties, will yield the best results,” said Ms. Litan. “This strategy must include continuous fraud detection, stronger user authentication, and out-of-band transaction verification for registered users.”

Gartner defines phishing attacks as when hackers or “cyberthieves” portray themselves to users as a trusted service provider, but in fact the phisher seeks to steal the user’s account information, such as credit card number, home address and phone number, or credentials, such as user IDs and passwords. Phishing is typically accomplished when the hacker sends someone an e-mail with a link inside and an invitation to go to a Web site, which the thief portrays as a well-known and/or trustworthy site.

Additional information is available in the Gartner report “The War on Phishing Is Far From Over.” The report is available on Gartner’s Web site at http://www.gartner.com/DisplayDocument?ref=g_search&id=927921&subref=simplesearch.

Additional information and practical advice on identity access management will be presented at the Gartner Information Security Summit, taking place from June 28 through July 1 in Washington, D.C. The Summit hits the critical spot between strategic planning and tactical advice. Gartner analysts, industry experts and IT security practitioners deliver unbiased, realistic analysis of the current state of information security, as well as an independent vision of how things will evolve over the long term. For complete event details, please visit the Gartner IT Security Summit Web site at http://www.gartner.com/it/page.jsp?id=749433. Members of the media can register by contacting Christy Pettey at christy.pettey@gartner.com.

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 4,000 associates, including 1,200 research analysts and consultants in 80 countries. For more information, visit www.gartner.com.