Phishing Victims Likely Will Suffer Identity Theft Fraud

Transcription

1 Markets, A. Litan Research Note 14 May 2004 Phishing Victims Likely Will Suffer Identity Theft Fraud Fifty-seven million U.S. adults think they have received a phishing . More than 1.4 million users have suffered from identity theft fraud, costing banks and card issuers $1.2 billion in direct losses in the past year. Core Topic Security and Privacy: Identity Theft Key Issue How extensive is identity theft, and what are the applications for fighting it? Strategic Planning Assumption If phishing antidotes are not implemented, consumer trust will erode and annual U.S. e-commerce growth will slow to 10 percent or less by 2007 (0.6 probability). Note 1 Phishing Phishing is a cyberattack in which an attacker impersonates a trusted company or provider and sends out a bulk message (the bait), typically an , that directs people (the "phish") to a fraudulent channel or Web site to collect personal information for identity theft. For more details on the mechanics of phishing attacks, see "How to Spot, and Stop, 'Phishing' Attacks." According to an April 2004 Gartner survey of 5,000 U.S. online adults, 57 million (41 percent) of U.S. adults have, or think they have, received a "phishing" attack (see Note 1). Of 141 million online adults, more than 30 million (19 percent) stated that the that they received "definitely was a phishing attack"; 27 million (22 percent) thought it "looked like a phishing attack"; 35 million (25 percent) were "not sure" if they had experienced an attack; and 49 million (34 percent) said that they had not received a phishing (see Figure 1). Figure 1 Have you received an that looked like or was in fact a phishing attack? No (49 million) 34% Looked like a phishing attack (30 million) 19% Definitely was a phishing attack (27 million) 22% Not sure (35 million) 25% According to survey respondents, 76 percent of phishing attacks happened in the past six months (November 2003 to April 2004), Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 and it appears that phishing attacks are increasing. Nearly all (92 percent) of phishing attacks occurred in the past 12 months (see Figure 2). Figure 2 When did you receive this ? More than a year ago 3% Can t remember 4% Within past six months 76% Six months to a year ago 16% Millions of consumers unknowingly fall for phishing scams. Nearly 11 million online adults reported clicking on the link in the phishing attack (approximately 19 percent of those attacked). (About 2 million could not remember if they had or not.) More seriously, 1.78 million Americans, or 3 percent of those attacked, remember giving "phishers" their sensitive financial or personal information, such as a credit card number and billing address, by filling in a form on a spoof Web site. Gartner believes at least 1 million more may have fallen for phishing schemes without realizing it. Phishers' Bait Is Effective Our research shows that phishing is more than just an annoyance. It is an effective, profitable form of crime. Of 1.78 million adult Internet users who remember providing sensitive information to phishers, 55 percent (980,000) also report being victimized by identity theft fraud. Ninety-four percent of that population (920,000) say the identity theft fraud happened in the past year. Comparatively, 36 percent (9.4 million) of 26.2 million online identity theft victims (including phishing victims) suffered the fraud in the past year. Thus, in the past year, phishing attack victims were almost three times as prone to fraud as was the average online consumer. Direct losses from identity theft against phishing attack victims including new-account (that is, when a thief steals an identity to 14 May

3 take out a new loan or service, typically a credit card or cellular phone service), checking account and credit card fraud cost U.S. banks and credit card issuers about $1.2 billion last year, according to the survey. This number does not account for bank staff and consumer time spent investigating and resolving fraud cases. Note 2 Account Takeover An account takeover occurs when someone other than the consumer has access to the consumer's user ID and password, and transfers money out of a checking account or line of credit. It can also take the form of an automated teller machine (ATM) scam for example, by copying ATM cards and videotaping the personal identification number entry. It's not only phishing attack victims who report higher incidents of identity theft. Phishing recipients most of whom do not report giving information away to phishers also suffer from more fraud. Half of the 4 million U.S. adults who say they have been victims of new-account fraud definitely have or think they have received a phishing . Although it is unclear what causes this correlation, it raises concerns that phishers may be planting spyware or keyboard logging software on consumer PCs. Likewise, 13 million of 24 million U.S. online Internet users who had other types of identity theft committed against them such as credit card and checking account forgery, or account takeover (see Note 2) have received phishing attack s. These figures indicate that phishing attack victims are more likely than nonvictims to have their identities stolen and used illegally by criminals for financial gain. Phishing Will Erode the Growth of Online Commerce Phishing attacks are rapidly spreading, just as e-commerce and online financial activity among U.S. consumers are reaching critical mass. According to Gartner's survey, 45 percent (63 million) of online U.S. adults pay bills online. Consumer adoption of online bill payment grew more than 70 percent between 2003 and This is nearly as much growth as what the United States witnessed between 2001 and 2002, when online bill payment nearly doubled to 25 million Internet users. Recent rapid growth in e-commerce likely will diminish as phishing attacks and other online security threats erode consumer confidence in online transactions. The Anti-Phishing Working Group, which is composed of enterprises and vendors that work together to prevent phishing attacks (see states that in March 2004, there was a 43 percent jump in U.S. phishing attacks compared to February These attacks are taking a toll on consumer trust in the Internet: 58 percent of those who shop, bank or pay bills online and 79 percent of the phishing attack victims say they are very concerned about the security of their online information. U.S. e-commerce has reached an inflection point. Unless consumers' security concerns are adequately addressed by service providers, the recent annual growth rates of 20 percent or 14 May

4 more will shrink more than they would based on the nature of the expanding user base. If phishing antidotes are not implemented, consumer trust will erode and annual U.S. e-commerce growth will slow to 10 percent or less by 2007 (0.6 probability). Consumers have a right to be nervous. Phishing attacks undermine their confidence in the authenticity of s, threatening their trust in the foundation of Internet-based communications. Which Sites Are Being Spoofed? Note 3 ebay Disclaimer This research has been independently produced by Gartner research analysts without any review of or participation by any member of Gartner's board of directors, including Maynard Webb, who serves on Gartner's board of directors and is the president of ebay Technologies, Inc. The Gartner consumer survey results are remarkably yet unsurprisingly similar to reports from the Anti-Phishing Working Group, which collects statistics from service providers as well as spoofed sites. According to the Gartner survey, 30 percent of consumers who received a phishing attack state that the phisher spoofed ebay (see Note 3), 29 percent said PayPal (owned by ebay) and 14 percent said Citibank (see Figure 3). Figure 3 If you received an that looked like or was in fact a phishing attack, what Web site did the phisher try to portray? Other 27% ebay 30% Citibank 14% PayPal 29% Other service providers reportedly spoofed include America Online, Microsoft, EarthLink, Yahoo!, Wells Fargo, Bell South and Fleet Bank. Service providers must implement solutions to authenticate themselves to their customers, and their customers to them. Future Gartner research will examine emerging anti-phishing solutions that range from digitally signed to managed antiphishing services. Although phishers likely will migrate to other types of crime when phishing attacks are more effectively 14 May

5 thwarted, service providers must try to squash phishing attacks until networked computing is more secure and trusted. Bottom Line: Financial institutions, Internet service providers and other providers must take phishing seriously and implement solutions that dramatically minimize if not eradicate the threat of these attacks, even if they are not spoof targets. Eventually, all participants in Internet commerce will be hurt by diminished consumer trust in online transactions. Consumer confidence is threatened with the rise of phishing attacks. Given that phishing victims are more likely to suffer from identity theft than other online users, consumer distrust in Internet security is a reasonable reaction. 14 May