More than 3.5 million US adults lost money to phishing scams and online identity theft in the 12-month period that ended in August, a 57 percent increase over the previous year, a Gartner fraud analyst has said.

The bad news, said analyst Avivah Litan, didn't end there. About 3.3 percent of the 4,500 Americans polled in August said they had been victimised by a phishing attack and had lost money in the deal. In 2006, the figure was 2.3 percent.

And banking regulators are both "in the dark" and "asleep at the wheel," she noted.

In other words, phishing is far from ancient history. Even consumers familiar with the concept - and those, said Litan, remain a minority - are not necessarily immune from current scams.
"Phishing is much more surreptitious, much more devious," she argued. "They're grabbing information from Facebook and MySpace and sending e-mail like they're your friend. Then there's greeting cards and charities, both of which are up dramatically."

The practice hasn't gone unnoticed by other security experts, who have remarked - most notably about the Storm bot-building Trojan - that clever social engineering strategies are all the rage. The constantly changing cycle of new techniques simply makes it that much harder for consumers to recognise what's legitimate and what's illegal.

"It not obvious, like it used to be," Litan added, like with early phishing techniques that used bank-branded e-mails that claimed the recipient needed to enter her log-in information in the next 24 hours or be locked out of her account. "Now malware is being dropped from e-mails, or from advertisements on Web pages, or from compromised Web sites. Click on a link in an ad, and even if you don't enter any information, you're still getting infected."

That broadening of the definition of "phishing," which once stood for bogus e-mail that tried to dupe users into giving up their passwords, had Litan grasping for a new term. "Maybe it should be called 'malphish,' or 'phishware,' " she said.

Gartner's annual survey also uncovered other shifts in identity theft. For the first time, bank check and debit card account information dominated the target list of phishers. In 2007, 47 percent of those who lost money said it was through a debit or bank check card, while credit cards accounted for just 32 percent. The year before, debit and credit cards were essentially neck and neck.

"Criminals have stepped up attacks on debit card and bank accounts, where back-end fraud-detection systems are traditionally weaker than they are in credit card accounts," said Litan. "And there are so many ways to use a debit card, whether it's for fund transfers or purchases or [cash] advances."

Among the few bright spots in Gartner's report are a drop in the average dollar amount lost per phishing incident, and an increase in the percentage of losses recovered by victims.

The average amount lost fell in 2007 to US$886, down approximately 29 percent from the $1,244 average per incident in 2006. And more people - 1.6 million in 2007, compared with 1.5 million the year before - recovered more money, said Litan; the survey showed 2007's victims recovered 64 percent of their losses, up significantly from the 54 percnt recouped in 2006.

Litan ascribed the average-loss drop to better controls by banks and credit card companies, including lower triggers in antifraud or account-locking measures, and she attributed the greater proportion of losses recovered to consumers' avoidance of payment vehicles that lack any recovery feature, such as Western Union and the now-defunct eGold.
In the 12 months before August 2007, Gartner calculated, estimated phishing losses totalled $3.2 billion. That was up $500 million from $2.8 billion in 2006.

"How much money has to be lost before something's done?" Litan asked.