Phishing Attacks Threaten E-Commerce

Gartner, which just completed a poll of over 5,000 U.S. adults who go online, noted that if it continues, phishing attacks will have a serious impact on e-commerce.

Phishing attacks typically start with an e-mail message purporting to be from a trusted source, such as bank, credit card company, or major retailer. A link within the message directs the recipient to a "spoofed" Web site that looks legitimate but is in fact bogus. There, the user is asked to update their account information by providing credit card and bank account numbers, billing address, Social Security number, or even a mother's maiden name. (The last is often used to verify someone's identity.) The purpose: to use the stolen info to purchase goods or hijack the account.

According to Avivah Litan, a research director with Gartner and the author of the study based on the survey, 57 million Americans have been, or think they have been, the victim of a phishing attack. Thirty million were positive, while 27 million weren't sure.

Out of that pool, an amazing number fell for the scams. Eleven million, or about 19 percent of those attacked, said that they'd clicked on the link in the phishing e-mail. More ominous for the banking and credit card industry -- the prime target of phishing -- and proof that crime pays, almost two million, or about three percent of those attacked, reported that they'd actually divulged sensitive information, like a credit card number, by filling in a form on the spoofed Web site the link them to.

Phishing, though not new to the Internet, has exploding in last six months. Since October 2003, 76 percent of all known or suspected phishing attacks were launched. Another 16 percent were sent in the six months prior, meaning that 92 percent of all attacks were conducted in the last year.

"This is an old trick," said Litan, "but it has totally picked up lately."

Phishers do this because they're successful at getting personal information, and using it. "There's a high correlation between victims of phishing attacks and victims of identity theft," said Litan. "A majority of those who remember giving away sensitive information to phishers also reported being victimized by identity theft," she said. Ninety-four percent of that group -- about a million Americans -- said that the theft occurred in the past year.

In the general population of those who say they've been victimized by identity theft, only 36 percent said it had happened in the last 12 months.

"Phishing attack victims are almost three times as prone to fraud as other online consumers," concluded Litan.

In her interviews with banking and credit card executives, as well as law enforcement officials, Litan said that the boom in phishing is driven not by amateur hackers, but by organized crime, in particular drug cartels in eastern Europe. "They've discovered identity theft, and in some cases, given up their guns for online fraud."

The payoff can be lucrative -- Litan estimated that the direct cost to U.S. credit card companies and banks was over $1.2 billion in 2003 -- and the chance of getting caught nearly nil.

"Phishers have a one in 700 chance of getting caught," she said.

"They steal all the account numbers they can get, then they take those numbers to make checks and credit cards, to forge checks, and to transfer funds from the victim's account to their own," said Litan.

Gartner's results closely matched those of the Anti-Phishing Working Group, which collects data from Internet service providers and the spoofed companies themselves. In April, the group noted that eBay, PayPal, and Citibank were the top three spoofed firms during the previous month, a ranking confirmed by Gartner.

If phishing continues to grow, said Litan, it will erode consumer confidence in buying online. Unless companies take action, the recent annual growth rate of 20 percent in line sales, already showing signs of erosion because of saturation, will tumble even faster. Minus an antidote to phishing, Litan estimated that by 2007, growth of U.S. e-commerce will slow to 10 percent or less.

But banks and credit card companies -- and the government -- are only now waking up to the phishing danger. "Not many banks are doing anything," said Litan. "A few are piloting managed anti-phishing services, but this is a relatively new phenomenon that's moving very quickly. It's going to take a year or two for them to get themselves organized."

The numbers culled from the survey may be stating the obvious -- that phishing is on the rise and is effective -- but it "proves that there's a lot more going on than was thought, and that a lot of it is successful," Litan said.

And that's not good for anyone.

*This story courtesy of Techweb.com.