In-Depth

Phishing Attacks Surge

Phishing activity increased by almost 40 percent in a 12 month period.

• By Stephen Swoyer
• 04/28/2009

To be forewarned is to be forearmed -- except, that is, when it comes to phishing.

According to market watcher Gartner Inc., phishing activity increased by almost 40 percent between September 2007 and September 2008. Consumers are the nominal targets, but financial institutions and other intermediary parties bear the brunt of the cost, according to the research firm.

For example, more than five million U.S. consumers fell victim to phishing attacks during Gartner’s 12-month survey period, losing an average of $351 per incident; in the final analysis, however, consumers were actually on the hook for less than half (44 percent, according to Gartner) of that amount: banks, financial institutions, and other intermediaries had to cough up the rest.

There’s a lesson here for enterprise IT organizations, Gartner analysts say.

“The survey findings underline the fact that the war against phishing is far from over,” said Avivah Litan, vice president and distinguished analyst at Gartner, in a statement. “Despite the rollout of a wide range of security measures designed to stem phishing, the truth is that many of them are not yet adopted widely enough to reverse this tide and, in many cases, their effectiveness is only partial.”

Nevertheless, Litan says enterprise IT shops should investigate and deploy security products -- such as secure e-mail gateways -- that can provide some measure of protection against phishing attacks. "None of the solutions [is] foolproof, however, and determined crooks will manage to get around them, so a layered security approach, involving all parties, will yield the best results," she points out. "This strategy must include continuous fraud detection, stronger user authentication, and out-of-band transaction verification for registered users."

Other measures IT organizations can adopt include site authentication or assurance features (which can tell a customer he or she is browsing a legitimate -- and not a spoofed -- Web site) and antiphishing services.