TechWeb

Deceptive E-Mail Could Cost Consumers $500 Million, Study Finds

Sep 30, 2004 (09:09 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=48800408


Phishing could cost consumers $500 million this year, according to a new study conducted by the Ponemon Institute, a privacy research and watchdog organization.

The study, based on a survey of 1,335 Internet users in the United States, finds that 76% of respondents experienced an increase in the deceptive E-mail practices known as phishing and spoofing. Perhaps more alarming, 70% report having unintentionally visited a spoofed Web site, and more than 15% admit revealing sensitive personal information in the process. Two percent claim to have experienced direct monetary loss because of phishers.

According to a July report from the Anti-Phishing Working Group, phishers are able to convince up to 5% of recipients to respond to them. That month, the group reported there were 1,974 new phishing attacks, representing a 39% increase over the previous month.

In April, research firm Gartner estimated that 57 million Americans had received phishing E-mail. Of those, it found that 1.8 million, or approximately 3%, revealed personal information, and more than half of those experienced identity theft as a result. Gartner put the annual cost to banks at $1.2 billion.

The Ponemon Institute survey was sponsored by Trust-e, a nonprofit online privacy organization, and NACHA, an electronic payments association. According to the survey, consumers think businesses should be doing more to protect them: 64% consider it unacceptable for organizations to ignore the problem, and 96% want companies to deploy new technologies to authenticate E-mail and online sites. They also want law enforcement to shut down spoofed sites.

Phishing attacks are hard to detect, and the Ponemon Institute and Trust-e are calling for a consumer-education campaign. In a test of 200,000 E-mail users conducted by E-mail security company MailFrontier Inc., fewer than 10% were able to distinguish phishing messages from legitimate E-mail all the time.

Vendors offer anti-phishing products and services, but the tools can't keep up with the increasing sophistication of criminals, says Avivah Litan, Gartner's VP and research director. As banks scramble to fortify E-mail, she says, phishers are moving to spyware to steal information.

Law enforcement can't contain the problem, either. Litan notes that only 3% of reported identity thefts result in arrests. "It's just so lucrative," she says. "I think we're at the beginning of a multiyear cyberwar."