Incidents of phishing were up again in May, albeit only slightly, after surging in March and April, according to the Anti-Phishing Working Group.
The number of unique phishing attacks reported increased six percent in May to 1,197, with an average of 38.6 reports each day, slightly higher than in April. The numbers could have been higher, but scam artists may have taken a break for Memorial Day in the US, keeping the final tally low, the report said.
Phishing scams are a form of online crime in which spam is used to direct Internet users to websites controlled by the thieves, but designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, social security number, bank account or credit card number, often under the guise of updating account information.
Financial services companies continued to be the primary target of the scams, and Citibank customers were the most frequent target. Scams using the names of eBay and Paypal were also rampant in May, said the group, which is sponsored by Microsoft, VeriSign and anti-spam company Tumbleweed, among others.
Phishing scams have surged in recent months to 1,100 in April, a 178 percent increase from March. In May, the group received reports of over 300 attacks a week, with a big drop-off the week of May 29 - when it was Memorial Day in the US at the same time as other World War Two rembrance ceremonies across Europe.
Faked sender, or "from" addresses on e-mail messages continued to be a popular tool of scam artists. At least 95 percent of e-mail messages submitted to the Anti-Phishing Working Group used such addresses.
The spoofed addresses are frequently identical to legitimate addresses at the companies being targeted by the phishers, for example: [email protected] and [email protected] were common spoofed addresses. The remainder of phisher e-mails submitted to the group came from so-called "social engineering addresses" - online mailboxes at domains run by the scam artists that resemble actual e-commerce sites. The domains, such eBay.billing.com, instead of ebay.com, or verify-visa.net, as opposed to visa.com, are designed to fool customers, the report said.
The phishing problem has received increased attention from the private sector and governments in recent months, as online criminals have seized on the scams as a lucrative and relatively simple way to make money.
On Tuesday, credit card company MasterCard said it was partnering with NameProtect to combat online identity theft and a black market in stolen credit card numbers. The two companies plan to aggressively pursue those behind phishing scams and work with law enforcement to shut down Internet sites and tools used by the identity thieves.
Also, on June 16, a consortium of companies from across industries announced a new group that will tackle phishing. The Trusted Electronic Communications Forum (TECF) has representatives from leading retail, telecommunications, financial services and technology companies, including Best Buy, AT&T, Charles Schwab and IBM.
The TECF will work with the U.S. and other governments, as well as standards organizations and companies to fix problems such as e-mail and Web-site spoofing, which contribute to a fast-growing online identity theft problem, the group said.