Phishing Attacks Skyrocket In October

"Phishing" attacks--online scams that involve people posing as bank representatives in order to solicit credit card and other personal information from consumers--rose more than threefold from August to October, according to the Anti-Phishing Working Group, an industry association focused on identity theft and fraud.

Last month, 6,597 new, unique phishing e-mail messages were reported to the association--up from 2,158 in August. The group considers messages unique when they involve a single e-mail blast with a unique subject line, sent out one at a time and targeting one company or organization. The "baiting" sites, which were placed within the messages, also increased to 1142 in October--up from 727 in August, according to the group.

While phishing can involve any type of online communication, many attacks involve e-mail, where fraudsters can easily duplicate a bank's branding and messaging to solicit personal information, said Quinn Jalli, director of privacy and Internet service provider relations for Digital Impact. Citibank, U.S. Bank, and eBay are the most widely phished brands, according to July 2004 data from the Anti-Phishing Working Group. The group reported that Citibank was hijacked by phishers in 682 unique attacks, U.S. Bank was hijacked in 622 unique attacks, and eBay was used in 255 unique attacks.

Digital Impact, which manages the e-mail marketing campaigns of several large financial and retail marketers, says that phishing has a response rate of 3 percent. The Anti-Phishing Working Group pegs the response rate at an even higher rate of 5 percent.

Like spam, phishing messages cost next to nothing to produce, but the returns are far greater-- limited only by the amount of money in a user's bank account. The Anti-Phishing Working Group estimates that in the United States, phishing was a $1.2 billion industry last year. The research firm Gartner reported this May that 57 million U.S. adults--about one in three Internet users--have encountered some form of phishing.

Jalli said the increase in both the frequency and quality of phishing messages makes it a "terrifying" consumer privacy issue. He's even seen attacks that claim users have been phished when they haven't, asking for credit card information in order to either help track the fraudster or retrieve the funds that were "lost."

Jalli believes advertisers rely too heavily on consumers' ability to identify fraudulent e-mail; he said marketers need to solve the problem if they want to protect their brand.

Digital Impact's Jalli said there is a need for an authentication system that personalizes e-mail for users, so they will know whether they requested the commercial mail they receive.

To that end, earlier this month, the e-mail service provider launched a series of anti-phishing products that marketers can use separately or in concert. One alerts Internet service providers to a phishing attack as soon as it's discovered; another attaches a personalized sender authentication password to commercial e-mails; and another enables a company's customer service department to tell concerned customers definitively whether or not it sent a specific e-mail through an e-mail verification database.