Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

3.2 Billion Dollars Lost to Phishing in 2007

Posted by Soulskill on Wed Dec 19, 2007 10:56 AM
from the hello-sir-madam-from-nigeria dept.
Security IT
mrneutron2003 brings us FastSilicon's summary of a Gartner survey which found that 3.2 billion dollars were lost in 2007 to phishing scams. "Gartner's latest survey into the realm of phishing attacks paints a rather bleak picture for 2007, with a record estimated loss of $3.2 Billion (that's Billion, with a B) U.S. Dollars. Overall loss per incident fell (to $886 from $1,244 lost on average in 2006) but the numbers of individuals who fell victim rose quite sharply from 2.3 Million in 2006 to a staggering 3.6 Million. Though online portals Paypal and eBay remained the most spoofed brands, it appears phishers are getting more creative utilizing fake electronic greetings cards, foreign businesses, and charitable organizations in their attacks on consumers. Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley.
+ -
story

Related Stories

Submission: 3.2 Billion Lost To Phishing in 2007 by mrneutron2003 (1106301)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

3.2 Billion Dollars Lost to Phishing in 2007 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • But my bank protects my money, right?

    For years, I couldn't get a credit card because my credit was terrible, so I had no choice but to sign up for internet porn using my debit card (what else was I supposed to do? go without?)

    So, I figure that my debit card # is sitting in a few forgotten databases around the internet. I'm not worried though, because ultimately, my BANK is liable, not me.

    • Re:debit card protection (Score:5, Informative)

      by dada21 (163177) <adam.dada@gmail.com> on Wednesday December 19 2007, @11:05AM (#21752136) Homepage Journal
      Get yourself a disposable credit "debit" card from any discount store (Wal*Greens, etc). GreenDot is very popular with the black market types. You can even use it on gambling sites, supposedly.

      The best part of the disposable cards is that you can cap the spending without fees. If you're buying something for $500, put $500 on it, and don't refill it. A few times a year they have deals where the cards are free as is the first deposit, so pick up a few grand worth of them at various levels and you're set.

      From what I know of the people who use them alot (google Rosemont, Illinois), they're also a great way to exchange money without anyone tracking it. Just what I've heard, though.
    • Sure, send me your Debit card and lets see how liable you are.

      The "Best" part about a Debit card is you can only spend what you have. Keep $100 in the account and refresh it daily. But if that $100 gets out, it's gone.
    • Anyone dumb enough to pay for something that is abundantly free deserves whatever they get.

      On another note I have an abundant supply of di-hydrogen monoxide I am looking to sell. It is extremely useful for many applications. Regularly priced at up to $4.00 / litre, I am willing to part with it for only $0.50 / litre. Msg me for details!
    • A debit card is more dangerous because ti isn't clear cut. Credit cards, the liability limits are very clear. More or less, because it isn't actually your money involved (you are being loaned the money by the bank) you are liable for anything. With a debit card you can be. It is more discretionary to the bank. With a credit card, you stop a transaction and that's it, it's done. The merchant basically has to take you to court if they want to get their money, which they won't do if they are a fraudster of cou

      • Re: (Score:3, Informative)

        by CastrTroy (595695)
        That all depends on your bank. I got my debit card duplicated and somebody took $500 out of my account. The bank called me up before I even noticed the money was missing. They asked if I made the charge. I said I didn't, and the money was back in my account within 5 days. I had to go down to my local branch and pick up a new debit card, but there was very little trouble on my part. Just as a reference, my bank is TD Canada Trust [tdcanadatrust.com].

        • Re:debit card protection (Score:4, Interesting)

          by Billosaur (927319) * <wgrother@optonline.nOPENBSDet minus bsd> on Wednesday December 19 2007, @11:42AM (#21752648) Journal

          I'm surprised that more banks don't make you retrieve credit/debit cards at local branches. Lots of cameras to help verify who you are. I know that when I want to change my PIN, I have to go to a WAMU branch to do it, whereas I can remember doing it online just a few years ago.

        • Re: (Score:3, Informative)

          by beckerist (985855)
          Hmmm now you have me thinking. I've had 2 banks where this happened to me. Actually, no, a bank and a credit union. The Bank gave me a HUGE hassle, I'd purchased a few things online in the months before and then over a 2 day period someone with my card number purchased over 800$ worth of things online. They never called me, I had to call my bank on it. They made me pay for a replacement card and ALMOST had me convinced that I had to buy some sort of insurance if I wanted to get reimbursed (scammy, eh?) Turn
  • Really, all this has been covered on Ultra-Slashdot in much greater detail.

    Oh, and those of you who don't have Ultra-Slashdot, just send me your e-mail address, your Slashdot password, and your credit card number (just for verification), and I'll be sure to enable it for you...

    • Re:This was already covered on Ultra-Slashdot (Score:5, Informative)

      by russ1337 (938915) on Wednesday December 19 2007, @11:28AM (#21752440)

      Really, all this has been covered on Ultra-Slashdot in much greater detail.

      Oh, and those of you who don't have Ultra-Slashdot, just send me your e-mail address, your Slashdot password, and your credit card number (just for verification), and I'll be sure to enable it for you..

      Email Address: Raymond.A.Carnine@dodgit.com,

      Slashdot password is: "imFishingYouberleethaxors"

      Visa: 4916 7995 1982 5659
      Expires: 5/2008

      oh, and you may need this: SSN: 381-80-6521


      Thanks!!!!

      Raymond A. Carnine [fakenamegenerator.com]
      4882 Prudence Street
      Farmington Hills, MI 48335
      • Ok, creepy.
        I clicked on your link, and hey, that's nifty. First load, however, it gave me the exact birthday as my actual one. I wonder what their year range is. The odds of this are what, 20 or so by 365? damn!
        I wonder if they have a super unusual feb 29....

    • Be sure to post a journal with the usernames/numbers of anybody who actually does this, so we can stone them.

  • One person's loss is another's gain (Score:5, Insightful)

    by lecithin (745575) on Wednesday December 19 2007, @11:02AM (#21752082)
    $3,200,000,000 isn't chump change. This is an organized effort.

    Are these people that good? Is it that hard to follow the trail?

    Do the companies care that their consumers are being duped?

    No. Really. Have you ever hit up paypal or ebay regarding a fraudulent transaction? Nothing usually ever comes of it. Why think that they will change now?

    • Re: (Score:3, Insightful)

      by tha_mink (518151)

      No. Really. Have you ever hit up paypal or ebay regarding a fraudulent transaction? Nothing usually ever comes of it. Why think that they will change now?

      No, it's just that people are THAT stupid. If you're stupid enough to follow these phishing deals, then you get what you deserve. It's akin to walking down to and asking people where you can buy a nice and handing them your wallet. If you don't know HOW to distinguish genuine emails from from a phishing attack, then you should put your credit card away, step away from the computer, get in your car, and go shopping at the mall like the olden days. To an extent, the banks and businesses can do a bette

      • No, it's just that people are THAT stupid. If you're stupid enough to follow these phishing deals, then you get what you deserve.

        Amen to that. You know, I get phishing e-mails every day at my main account, and tons more to my hotmail and yahoo accounts (where their filters catch most of them, but it's fun sometimes just to look them over before they get shit-canned). I would say that at LEAST 2/3 of them are so obviously fake (misspellings, fractured syntax, totally unprofessional looking, etc.) that yo

      • No, it's just that people are THAT stupid. If you're stupid enough to follow these phishing deals, then you get what you deserve.

        I think one of two things has happened here, either you mis-understand what a phishing e-mail actually is or your anti-spam mechanisms catch most of the phishing e-mails that come your way. These are not the "v14gr3" type mailings - these are often exact replicas of bank, eBay, PayPal, etc. websites and/or mailings so meticulously crafted that at times they've made me take pause to examine the headers. URLs are obfuscated in ever more clever ways and at first glance I wouldn't think anything of it and I w

    • Re: (Score:3, Interesting)

      by dsginter (104154)
      Do the companies care that their consumers are being duped

      I know that the tinfoil hat is a popular slashdotter stereotype but...

      The credit card companies do *not* want fraud to go away - they need a small amount to justify their cut of every transaction on the planet.

      A decade ago, I used to be able to swipe my ATM card (which was nothing more, at that time) at the grocery store or gas pump and - voila - the cost was deducted from my checking account. Then, all of a sudden, my bank decided that they wanted
      • I don't think they actually 'want' fraud, I think that that eliminating it altogether just costs more at the moment than they are losing. Visa won't lose their profitable monopoly by eliminating fraud.

        The UK for example has switched almost exclusively to "chip and pin" http://www.chipandpin.co.uk/ [chipandpin.co.uk] Visa cards. Some smaller stores and fast food outlets don't even accept old-fashioned signature-only credit cards any more.

        Most banks in the US/Canada charge fees for a fixed number of transactions, your bank just
    • Maybe it's not chump change, but I'm more worried about he CIA's budget...
      losing over 2 Trillion... [freerepublic.com]
    • Why can't they just follow the money?

      I know with the technological spoofery it can be difficult to find the origin of the phishing.
      With dodgy registrars and others it can be difficult to find the owner of a domain.

      But the money has to actually go *somewhere*. So why can't it be followed up at the point somebody moves it somewhere?

      • But the money has to actually go *somewhere*

        That way my initial response actually. Money is one of those things that's very hard to "lose" in the sense that it doesn't really vanish - it just ends up in someone else's pocket at the end of the day. The interesting thing would be to see how much economic activity is generated by the stolen funds - because I guarantee that these guys aren't just taking the money and having it sit in a non-interest bearing account in some kind of bizarre effort to combat inf

    • US population: 301 million
      People scammed: 3.6 million
      Suckers/confused: 1.2%

      and that's if we limit the pool to the US. It's not really surprising that they get this many people. Expect it to only go up as the online pool gets bigger.

    • $3,200,000,000 isn't chump change. This is an organized effort.
      Bullshit. This is like cops telling you that the pound of Mexican Dirt Weed they busted some poor sap for last week is worth $20,000. It's like Adobe telling you they lose millions on Photoshop every year when you know dman well that none of those pirates would have bought it retail anyway. Bullshit.

  • Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley

    But don't the criminals still get the money, regardless of which type of account from which they steal it? Why do they care either way about better consumer fraud protection (which I read as "responsibility for unknown charges")? Or is it that credit cards have

    • Re:Why would criminals care about the source? (Score:5, Informative)

      by tlhIngan (30335) <slashdot AT worf DOT net> on Wednesday December 19 2007, @11:28AM (#21752436)

      Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley

      But don't the criminals still get the money, regardless of which type of account from which they steal it? Why do they care either way about better consumer fraud protection (which I read as "responsibility for unknown charges")? Or is it that credit cards have better preventative measures? I RTFA, but couldn't find where Berkeley talks about why credit cards have better fraud protection.

      Also, as an anecdote, my bank/debit card company did very well to prevent an instance of fraud with my account. I'd like to know what credit card companies do so much better, other than the fact that they're not able to hold you personally liable in cases of fraud and thievery for amounts over $50 (?).

      The reason credit cards are better is because the protections they have are enshrined in law. Debit card fraud protection isn't - it's only between you and your bank. That's where the $50 protection comes in - if your credit card is stolen, you're only responsible for the first $50 used while it was stolen (even if you didn't realize until later). Now, some banks actually make it "no liability" and eat the $50 as well, but like debit cards, that's between you and your bank.

      Now, imagine your debit card is stolen (or more commonly, duplicated with information stored from illicit debit machines). As far as your bank is concerned, you've been withdrawing the money as normal.

      Finally, consider the illicit charge that happens. With a credit card, the money is the bank's (or Visa/Mastercard/Amex/etc) money. They will lean on the merchant to offer proof that you made the transaction (hence the little credit card slip you sign), since that's a contract. If not, they take the money from the merchant and reimburse you.

      Now try a debit card. The bank can't tell that it wasn't you that made the trasaction. In fact, it could be you trying to scam free money off the bank. All the bank has is a record that your card was used to withdraw cash from your account (your money) that you claim you never withdrew.

      This should be a call for better debit card security, but until then, proving you didn't take your money is a lot harder than having the merchant prove you did make the purchase. Since it's not the bank's money, they can investigate as long as they like, while you're out of the money for the duration. Now some banks may offer cardholder services that make it similar to credit card in protection, but they don't have to. (A more practical aspect - if your credit card was used illicitly, you're not out the money immediately, so you can sustain yourself. If your debit card was used illicitly, you're out the cash until your bank refunds it. This can mean not having money for food and shelter...)

      Just FYI - the signature on the back of your credit card is used to indicate that you agree to the cardholder's agreement. It is not, and should not, be used as a signature reference. That slip you sign is a contract saying you will pay the amount shown as per the cardholder's agreement (which your signature on the card verifies). Thus, "Check ID" is not a valid signature on the card, and the store is right in refusing your card since you technically did not agree to the terms of your cardholder agreement (which naturally includes stuff like paying back the money you borrowed!). The cashier, unless they are trained in handwriting analysis, can't really compare signatures (and shouldn't). They can do a quick verification to make sure that you're not playing games, but that's about it.

      Stores that tend to attract a lot of fraudulent activity may request ID, though.

      It's also why e-commerce is slightly more vulnerable to credit card

  • Phishing for spam. (Score:5, Interesting)

    by Ochu (877326) on Wednesday December 19 2007, @11:05AM (#21752146) Homepage
    I've been saying for a while, phishing is a far bigger problem than spamming. The attach rate is a lot higher, because people think they are responding to a genuine email from Bank of America, the rewards are orders of magnitude higher, because you can take all their money, while the costs are just a bit higher. Sure, its slightly illegal, but to be honest, that clearly has no effect.
  • $3.2 billion. I have to worry about $3.2 billion gross lost due to phishing, and put up with what will amount to billions more in wasted time and energy when Citibank decides to cancel my card while I'm in Europe even though I called them 5 times to let them know exactly where I will be and when. "oh, we thought you gave your number away online."

    Let's look at $3.2 billion "lost."

    300 million adults in the US x Z = 3,200 million.

    Z = $10.66

    So we're all fretting over $10.66 each that we lost in a year. Big d
    • Sure, from the average citizen's perspective, $10.66 isn't money worth much thought. But, from the average Phisher's perspective, $3.2 billion is a hefty sum. How many Phisher's do you think share the $3.2 billion? Maybe I need to consider a career change...
    • That is if you trust this figure.... ... Gartner is not the most relaible source, and how did they come up with this estimate, when the victims mostly will not tell people they were scammed, and the banks will not release their losses ...

      • That is if you trust this figure.... ... Gartner is not the most relaible source, and how did they come up with this estimate, when the victims mostly will not tell people they were scammed, and the banks will not release their losses ...

        Still doesn't effect me. The minute I heard about phishing, I sent an email to all my friends and family explaining it in detail. This goes back years ago. So far, not a single person I know, not a single customer I work with (out of thousands of users) and not a single
    • so you're okay with donating $10 to thieves every year? I'd rather give cops an extra $1000/yr than thieves an extra $10.
      • Doesn't matter to me, I am insured [progressive.com] against all sorts of financial calamity. I also tend not to keep my money in the bank where it makes someone else money, so it's another thing I don't worry too much about.
        • Aha, so let's say you pay $10/month for your "calamity" insurance - which means over the last 5 years you've paid $600 for it and counting. Might as well drop the insurance and learn your $10 lesson with the rest of the "morons".

          Who is the real victim of internet phishing? YOU ARE!!!
          • Aha, so let's say you pay $10/month for your "calamity" insurance - which means over the last 5 years you've paid $600 for it and counting. Might as well drop the insurance and learn your $10 lesson with the rest of the "morons".

            Err, no. I only bank with banks that provide extra insurance over their D&O policy. If you are familiar with banking regulations and laws, D&O protects banks from a lot of fraudulent activities that the banks can generally ignore. SOME banks have extra D&O insurance.
            • That's interesting, thanks for the info. I guess the point remains that any money spent on fraud/ID theft insurance is directly attributable to the fraud and ID theft in the first place, and buyers of this insurance should be considered indirect victims of the crime. Perhaps a secondary crime is banks offering overpriced insurance, which is a problem you seem to have avoided.

  • when does whack-a-mole end? (Score:3, Interesting)

    by damn_registrars (1103043) on Wednesday December 19 2007, @11:16AM (#21752284) Journal
    I feel this is largely parallel to the stories and discussions we've had on the economic basis of spam, and the comments I've made on the economics that drive others to cover for the criminals.

    Many of the phishing emails I have seen tend to use domains that are creatively re-arranged to look like the real thing - something like paypal.com.evilphishingdomain.com to substitute in for the real paypal.com. And of course, the evilphishingdomain.com was willingly sold to a crook by a registrar who themselves are of less-than-stellar reputation.

    Just as I've said before regarding spamming domains, if there were better controls on the domain registration process, a lot of this could be reigned in. Sure, some phishing emails do go by IP addresses instead of domain names, but for the large portion of them that use names instead, we can shut down their game quicker by making registrars actually give a hoot about their customers' damage.

    The Malware Economy Evolves (slashdot article) [slashdot.org]
    Comments on Malware Economy [slashdot.org]
    The Economic Basis of Spam (slashdot article) [slashdot.org]
    Comments on Economic Basis of Spam [slashdot.org]
    My journal article on the registrars' role in keeping spam alive [slashdot.org]

  • Legal Phishing (Score:5, Interesting)

    by jomama717 (779243) * <jomama717@gmail.com> on Wednesday December 19 2007, @11:24AM (#21752394) Journal
    I can't wrap my mind around it, but it seems that there is some relationship to this phenomenon and that of $7.8 Billion in unused gift cards [sltrib.com] (just this year!!)

    The end result is the same, some group (in this case retail store executives) is getting billions of dollars in exchange for exactly nothing.
      • I'll pass on the accounting class, apparently they turn people into assholes.

        Granted they are keeping your money interest free
        Isn't that enough?
  • This gives new meaning to the cliché "there's a sucker born every minute".

    Dan East
  • riiiighhhhtt [google.co.uk]......
  • To draw from a parallel, there are plenty of rules and restrictions for using HAM radio. Many have been relaxed...many important ones. But the fact is, you still need a license for much of it.

    It would, of course, be harmful and limiting to commercial interests for such usage restrictions to be put into place and could even serve as a tool to restrict communications freedom... so maybe in that respect, this is a really really bad idea. But I'm thinking that a license to use the public internet should been

  • *NEVER* give out personal financial information in a transaction that you did not yourself originate. As in NEVER. People have been taken in by con-artists as long as there have been human's roaming the earth, and the solution to this behavior has been around just as long. Don't be a fool, and you won't be fooled.

    Anyone can pretend to be your bank or the tax authorities, so don't fill in any forms or pay any money without cast-iron proof. Make them personally visit your shack in the mountains. Don't be s

  • 3.2 billion dollars were lost? No. The 3.2 billion dollars aren't really lost. They know where the money is, still. It's just when you go there, there's this new guy holding it.

    It's just like when you lose a job, or a girl, right Mr. Goldthwait?
  • Gartner's wording shows a definite bias against those using alternative income techniques. Here's another way to read their summary:

    "Gartner's latest survey into the realm of phishing shows increased income for 2007, with record revenue of $3.2 Billion (that's Billion, with a B) U.S. Dollars. Overall income per incident fell (to $886 from $1,244 made on average in 2006) but the numbers of individuals who subscribed rose quite sharply from 2.3 Million in 2006 to an impressive 3.6 Million. Though online por
  • Assuming that the 3.2 million incidents are from unique users, around one percent of the U.S population isn't able to avoid being victimized by a phishing scam.

    The news here isn't "OMG scamming is teh huge!" but that the numbers are so low. My everyday experience would lead me to believe that the number would be significantly higher than 1%. I mean, I run across people every day where I wind up wondering "How does someone that stupid remember to breathe?"
  • If you have money, and are stupid, you are likely to get phished. While getting phished is unlikely to collectively benefit stupidkind, they DO now collectively have much less money. This should either make them a less attractive target, or at least mitigate the level of damage the phishers can do. I suppose you could say the internet is being "phished out". Pretty soon "a fool and his money are soon parted" will have been applied enough that few of the stupid people have anything left to be phished? L
    • The above link is a hoax - its some guy spamming to get traffic to his site, and has nothing to do with the article whatsoever.

    • Re: (Score:3, Informative)

      by FatMacDaddy (878246)
      Actually, I would say that it is quite a bit different. A fool might be duped into believing the sales pitch of enlargement pills or that a Nigerian prince can't find anyone to accept money, but the point of phishing is to establish a false sense of security where the victim believes they're dealing with a secure, reputable business - usually one where they already have a solid relationship. I can see a lot of people falling for well-designed, sophisticated phishing attacks.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.