US hit by 57 million phishing attacks in one year

About 57 million people in the US are thought to have received a phishing email during the past year, according to a survey to be published by Gartner on Thursday.

Phishing is an Internet scam in which unsuspecting users receive official-looking emails that attempt to fool them into disclosing online passwords, user names and other personal information. Victims are usually persuaded to click on a link in an email that directs them to a doctored version of an organisation's Web site.

The Gartner survey was carried out during April and questioned more than 5,000 US Internet users, and the answers were extrapolated to create a representative sample of the US population. Gartner said the survey indicates that more than 30 million people are sure they have fallen victim to a phishing attack, 27 million people suspect they may have been fooled and 35 million could not be sure either way.

The news gets worse because Gartner believes that 11 million adults clicked on a phishing email's link and almost 2 million remember passing on sensitive information such as a credit card numbers.

"Even more seriously, 1.78 million Americans remember giving the phishers sensitive financial or personal information, such as credit card numbers or billing addresses, by filling in a form on a spoof Web site," said Avivah Litan from Gartner Research.

Unless phishing can be stamped out using digitally signed emails, and other antiphishing technologies, Gartner expects the US ecommerce economy to take a substantial hit.

"Without the implementation of phishing antidotes, consumer trust will further erode and annual US ecommerce growth will slow to 10 percent or less by 2007," said Litan.

Richard Starnes, director of incident response at Cable and Wireless Managed Security Services said phishing is a huge problem, but it would not be eliminated quickly without a massive investment in digital certificates or identity tokens. However, he said that proper education of users could provide a temporary fix.

"We have to concentrate on user training, things like what a phishing site looks like and what a real URL looks like. We are always trying to find a silver bullet that will make everything alright but it has got to be part of an ongoing comprehensive information security programme," he said.

Gartner said it estimates phishing-based identity theft fraud cost US banks and credit card issuers about $1.2bn in 2003.

In the UK, email security company Messagelabs estimated that the quantity of phishing emails had increased 1000-fold since last year. In October 2003 they recorded 279 phishing emails to 215,643 in March 2004.