Gartner: Phishing Angriffe stiegen 2007 an – Schaden von mehr als 3 Milliarden US-Dollar

PayPal and eBay continue to be the most-spoofed brands, but phishing attacks increasingly employ devious social engineering attacks, impersonating, for example, electronic greeting cards, charities and foreign businesses.

Thieves are increasingly stealing debit card and other bank account credentials to rob accounts —  targeting areas where fraud detection is weaker than it is with credit card accounts. According to the survey, of those consumers who lost money to phishing attacks, 47 percent said a debit or check card had been the payment method used when they lost money or had unauthorized charges made on their accounts. This was followed by 32 percent of respondents who listed a credit card as the payment method, and 24 percent who listed a bank account as the method (multiple responses were allowed).

"Criminals have stepped up attacks on debit card and bank accounts, where back-end fraud detection systems are traditionally weaker than they are with credit card accounts," Ms. Litan said. "Fraud detection and authentication systems deployed widely in online banking in response to FFIEC banking regulator guidance are already a step behind fraudsters' latest techniques and must be updated to guard against browser hijackings, "man in the middle," and other hidden malware-based attacks often delivered to users through phishing e-mails. Regulators must get a better handle on the problem through consistent and timely bank reporting on their fraud incidents and losses."

Ms. Litan said bank regulators appear to be in the dark when it comes to measuring damage from phishing attacks. The University of California at Berkeley conducted a Freedom of Information Act request, asking the Federal Deposit Insurance Corporation for all bank-reported data on fraud attacks between January 27, 2005 and May 30, 2007. Gartner and UC Berkeley analyzed these data and found spotty, unreliable and unstructured data reported by U.S. banks to the regulator. Just 451 unique incidents were reported in this period. "The data quality was so poor that it was impossible to draw any conclusions from it other than that the regulatory reporting on fraud attacks is severely lacking," Ms. Litan said.

Phishing and malware attacks will continue to increase through 2009 because it's still a lucrative business for the perpetrators, and advertising networks will be used to deliver up to 30 percent of malware that lands on consumer desktops.

Gartner sees no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers (which theoretically can be any legitimate Web site or service) have incentives to keep malware from being planted on their Web sites to reach unsuspecting consumers.

"Enterprises should at least protect their own brands from being used in phishing attacks by subscribing to an anti-phishing solution," Ms. Litan said. "Similarly, companies should subscribe to anti-malware services that detect malware targeting the firm's customers, and prevent it from spreading across consumer desktops. Custodians of consumer financial accounts must protect those accounts through fraud prevention, stronger user authentication and transaction verification."

About Gartner
Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 3,900 associates, including 1,200 research analysts and consultants in 75 countries. For more information, visit www.gartner.com.