Gartner: Phishing on the rise in U.S.

New research published Tuesday by Gartner indicates that illegal access to checking accounts, often gained via technology-borne schemes such as "phishing," has grown into the fastest growing form of consumer theft in the United States.

According to Gartner's numbers, roughly 1.98 million people reported that their checking accounts were breached in some way during the last year. The research company said that crimes such as phishing, whereby criminals use misleading e-mail and Web sites to dupe individuals into sharing personal data like passwords, accounted for a staggering $2.4 billion in fraud, or an average of $1,200 per victim, during the last 12 months.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The latest numbers confirm a report published by Gartner in May that highlighted the rapid growth of the phishing phenomenon. In that study, the research company concluded that 57 million consumers in the United States had received a phishing e-mail during the prior year. One of the most common phishing campaigns being waged has targeted users of Web auction giant eBay and its PayPal payment-services division, with financial services giant Citibank serving as another popular target.

Avivah Litan, the Gartner analyst who conducted the new research, said that phishing is not the only major security problem opening consumers to possible crimes.

The analyst believes that so-called keystroke logging, or the practice of using spyware to record all the characters a computer user types into his machine, is also growing rapidly. Security software company Webroot claims that its own research shows that nearly one in every three PCs harbors some kind of keystroke-logging software.

"There are great controls for other types of fraud at the banks, and credit card companies are very good at keeping an eye out for improper behavior, but there is no way to directly address phishing or keyboard logging as of yet," Litan said. "Someone needs to introduce the kind of back-end software necessary for preventing this sort of activity; that would make a difference."

As the online banking, shopping and payment industries have grown, so too have the methods used by thieves to trick unsuspecting consumers into giving away password and account data.

Those most often targeted are people who have just begun to utilize online accounts to do business. Gartner reported that of the 4 million consumers who encountered fraud last year when opening a new online account, approximately half said they also received a phishing e-mail.

"The solution is in building stronger consumer authentication tools, in order to help link service providers like banks build tighter links with consumers. We need Caller ID for the Internet." -- Avivah Litan Gartner analyst

Gartner said that checking account attacks ranked second only to physical credit card thefts in its study, which polled 5,000 people and was based on a 12-month period ending in April 2004. The research examined five types of consumer fraud: new account fraud, check forgery, unauthorized access to checking accounts, illegal credit card purchases and fraudulent cash advances on credit cards.

Litan said technology offers an attractive vehicle for criminals, because it allows them to ply their illegal trades without ever encountering their victims in person.

"The solution is in building stronger consumer authentication tools, in order to help service providers like banks build tighter links with consumers," Litan said. "We need Caller ID for the Internet."

The analyst, who said she endured her own brush with criminals when someone stole her personal information and used it to make purchases on a debit card, suggested that a simple way for companies to create safer bonds with customers is to require that they answer multiple questions when logging into a site.

In addition to phishing e-mail campaigns, spyware launched via pop-up advertisements or Web sites also remains a serious threat. For instance, an Internet surfer tricked into visiting a certain Web site laced with spyware, or software that gathers information about people without their knowledge, can then have that person's password or verification information tracked and stolen.

A common goal
As part of the wider battle against phishing and other forms of Web crime, a group of companies on Wednesday will announce a new standards and research effort, dubbed the Trusted Electronic Communications Forum. The group will include representatives from a number of well-known companies in the financial services sector, including E*Trade Financial, Fidelity Investments and HSBC Holdings, along with tech providers such as AT&T, IBM and Siebel Systems.

Shawn Eldridge, an executive at security software maker PostX and chairman of the Trusted Electronic Communications Forum, said the organization will work to establish new standards for protecting consumers and will teach end users how to better protect themselves online.

"No one thing is going to solve these problems, but the combined effort of creating guidelines and educating consumers can go a long way toward resolving these issues and discouraging this sort of crime," Eldridge said. "If we can find ways to effectively identify when phishing has occurred and report it to the right authorities, I think we can help start making the problem go away."

Eldridge said that the group plans to begin working on a list of related best practices for financial services companies while opening discussions with federal law enforcement agencies, including the U.S. Department of Homeland Security and the Secret Service.

However, security experts raised doubts as to how effective any industry group could be in helping consumers avoid potential crimes, beyond publicizing the problem and lobbying for better regulation.

Ray Everett-Church, an attorney with ePrivacy Group who follows Internet security issues, said that ultimately it will be up to consumers to protect themselves, even as fraudulent schemes become more complex.

"It's really quite a challenge, as even a well-prepared user could be tricked by some of the most realistic forgeries that are out there," he said. "Any time a company sends you an e-mail asking to log in to their Web site or forward sensitive information, you should think twice, since most companies will never ask you to do that."

Everett-Church said the best way to figure out if a site truly needs information is to visit it independently after closing any suspicious e-mails and re-launching any open Web browsing software. If there is an actual need for information or clarification, the site should have related information prominently displayed, he said.

"If a company has a real alert, it should be easy to find," he said. "You simply cannot trust links and e-mail messages, no matter how real they might look, and unless you launch a fresh browser, someone could still be stealing your information."