3.2 Billion Dollars Lost to Phishing in 2007

mrneutron2003 brings us FastSilicon's summary of a Gartner survey which found that 3.2 billion dollars were lost in 2007 to phishing scams. "Gartner's latest survey into the realm of phishing attacks paints a rather bleak picture for 2007, with a record estimated loss of $3.2 Billion (that's Billion, with a B) U.S. Dollars. Overall loss per incident fell (to $886 from $1,244 lost on average in 2006) but the numbers of individuals who fell victim rose quite sharply from 2.3 Million in 2006 to a staggering 3.6 Million. Though online portals Paypal and eBay remained the most spoofed brands, it appears phishers are getting more creative utilizing fake electronic greetings cards, foreign businesses, and charitable organizations in their attacks on consumers. Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley.

Re:debit card protection

[dada21]

Get yourself a disposable credit "debit" card from any discount store (Wal*Greens, etc). GreenDot is very popular with the black market types. You can even use it on gambling sites, supposedly.

The best part of the disposable cards is that you can cap the spending without fees. If you're buying something for $500, put $500 on it, and don't refill it. A few times a year they have deals where the cards are free as is the first deposit, so pick up a few grand worth of them at various levels and you're set.

From what I know of the people who use them alot (google Rosemont, Illinois), they're also a great way to exchange money without anyone tracking it. Just what I've heard, though.

Re:debit card protection

[CastrTroy]

That all depends on your bank. I got my debit card duplicated and somebody took $500 out of my account. The bank called me up before I even noticed the money was missing. They asked if I made the charge. I said I didn't, and the money was back in my account within 5 days. I had to go down to my local branch and pick up a new debit card, but there was very little trouble on my part. Just as a reference, my bank is TD Canada Trust [tdcanadatrust.com].

Re:Why would criminals care about the source?

[tlhIngan]

Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley

But don't the criminals still get the money, regardless of which type of account from which they steal it? Why do they care either way about better consumer fraud protection (which I read as "responsibility for unknown charges")? Or is it that credit cards have better preventative measures? I RTFA, but couldn't find where Berkeley talks about why credit cards have better fraud protection.

Also, as an anecdote, my bank/debit card company did very well to prevent an instance of fraud with my account. I'd like to know what credit card companies do so much better, other than the fact that they're not able to hold you personally liable in cases of fraud and thievery for amounts over $50 (?).

The reason credit cards are better is because the protections they have are enshrined in law. Debit card fraud protection isn't - it's only between you and your bank. That's where the $50 protection comes in - if your credit card is stolen, you're only responsible for the first $50 used while it was stolen (even if you didn't realize until later). Now, some banks actually make it "no liability" and eat the $50 as well, but like debit cards, that's between you and your bank.

Now, imagine your debit card is stolen (or more commonly, duplicated with information stored from illicit debit machines). As far as your bank is concerned, you've been withdrawing the money as normal.

Finally, consider the illicit charge that happens. With a credit card, the money is the bank's (or Visa/Mastercard/Amex/etc) money. They will lean on the merchant to offer proof that you made the transaction (hence the little credit card slip you sign), since that's a contract. If not, they take the money from the merchant and reimburse you.

Now try a debit card. The bank can't tell that it wasn't you that made the trasaction. In fact, it could be you trying to scam free money off the bank. All the bank has is a record that your card was used to withdraw cash from your account (your money) that you claim you never withdrew.

This should be a call for better debit card security, but until then, proving you didn't take your money is a lot harder than having the merchant prove you did make the purchase. Since it's not the bank's money, they can investigate as long as they like, while you're out of the money for the duration. Now some banks may offer cardholder services that make it similar to credit card in protection, but they don't have to. (A more practical aspect - if your credit card was used illicitly, you're not out the money immediately, so you can sustain yourself. If your debit card was used illicitly, you're out the cash until your bank refunds it. This can mean not having money for food and shelter...)

Just FYI - the signature on the back of your credit card is used to indicate that you agree to the cardholder's agreement. It is not, and should not, be used as a signature reference. That slip you sign is a contract saying you will pay the amount shown as per the cardholder's agreement (which your signature on the card verifies). Thus, "Check ID" is not a valid signature on the card, and the store is right in refusing your card since you technically did not agree to the terms of your cardholder agreement (which naturally includes stuff like paying back the money you borrowed!). The cashier, unless they are trained in handwriting analysis, can't really compare signatures (and shouldn't). They can do a quick verification to make sure that you're not playing games, but that's about it.

Stores that tend to attract a lot of fraudulent activity may request ID, though.

It's also why e-commerce is slightly more vulnerable to credit card

Re:This was already covered on Ultra-Slashdot

[russ1337]

Really, all this has been covered on Ultra-Slashdot in much greater detail.

Oh, and those of you who don't have Ultra-Slashdot, just send me your e-mail address, your Slashdot password, and your credit card number (just for verification), and I'll be sure to enable it for you..

Email Address: Raymond.A.Carnine@dodgit.com,

Slashdot password is: "imFishingYouberleethaxors"

Visa: 4916 7995 1982 5659
Expires: 5/2008

oh, and you may need this: SSN: 381-80-6521


Thanks!!!!

Raymond A. Carnine [fakenamegenerator.com]
4882 Prudence Street
Farmington Hills, MI 48335

Re:How is it lost?

[FatMacDaddy]

Actually, I would say that it is quite a bit different. A fool might be duped into believing the sales pitch of enlargement pills or that a Nigerian prince can't find anyone to accept money, but the point of phishing is to establish a false sense of security where the victim believes they're dealing with a secure, reputable business - usually one where they already have a solid relationship. I can see a lot of people falling for well-designed, sophisticated phishing attacks.

Re:Hoax

[Anonymous Coward]

for anyone else thats fed up of this guy - this greasemonkey script [blogspot.com] shows the actual tinyurl destination in the tooltip when you hover over it.

and if you dont want to run greasemonkey directly - convert it into a standalone firefox extension [arantius.com]

Comment removed

[account_deleted]

Comment removed based on user account deletion