The study, based on a survey of 1,335 Internet users in the United States, finds that 76% of respondents experienced an increase in the deceptive E-mail practices known as phishing and spoofing. Perhaps more alarming, 70% report having unintentionally visited a spoofed Web site, and more than 15% admit revealing sensitive personal information in the process. Two percent claim to have experienced direct monetary loss because of phishers.
According to a July report from the Anti-Phishing Working Group, phishers are able to convince up to 5% of recipients to respond to them. That month, the group reported there were 1,974 new phishing attacks, representing a 39% increase over the previous month.
In April, research firm Gartner estimated that 57 million Americans had received phishing E-mail. Of those, it found that 1.8 million, or approximately 3%, revealed personal information, and more than half of those experienced identity theft as a result. Gartner put the annual cost to banks at $1.2 billion.
The Ponemon Institute survey was sponsored by Trust-e, a nonprofit online privacy organization, and NACHA, an electronic payments association. According to the survey, consumers think businesses should be doing more to protect them: 64% consider it unacceptable for organizations to ignore the problem, and 96% want companies to deploy new technologies to authenticate E-mail and online sites. They also want law enforcement to shut down spoofed sites.
Phishing attacks are hard to detect, and the Ponemon Institute and Trust-e are calling for a consumer-education campaign. In a test of 200,000 E-mail users conducted by E-mail security company MailFrontier Inc., fewer than 10% were able to distinguish phishing messages from legitimate E-mail all the time.
Vendors offer anti-phishing products and services, but the tools can't keep up with the increasing sophistication of criminals, says Avivah Litan, Gartner's VP and research director. As banks scramble to fortify E-mail, she says, phishers are moving to spyware to steal information.
Law enforcement can't contain the problem, either. Litan notes that only 3% of reported identity thefts result in arrests. "It's just so lucrative," she says. "I think we're at the beginning of a multiyear cyberwar."