3.2 Billion Dollars Lost to Phishing in 2007 112
mrneutron2003 brings us FastSilicon's summary of a Gartner survey which found that 3.2 billion dollars were lost in 2007 to phishing scams. "Gartner's latest survey into the realm of phishing attacks paints a rather bleak picture for 2007, with a record estimated loss of $3.2 Billion (that's Billion, with a B) U.S. Dollars. Overall loss per incident fell (to $886 from $1,244 lost on average in 2006) but the numbers of individuals who fell victim rose quite sharply from 2.3 Million in 2006 to a staggering 3.6 Million. Though online portals Paypal and eBay remained the most spoofed brands, it appears phishers are getting more creative utilizing fake electronic greetings cards, foreign businesses, and charitable organizations in their attacks on consumers. Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley.
Why would criminals care about the source? (Score:2, Interesting)
But don't the criminals still get the money, regardless of which type of account from which they steal it? Why do they care either way about better consumer fraud protection (which I read as "responsibility for unknown charges")? Or is it that credit cards have better preventative measures? I RTFA, but couldn't find where Berkeley talks about why credit cards have better fraud protection.
Also, as an anecdote, my bank/debit card company did very well to prevent an instance of fraud with my account. I'd like to know what credit card companies do so much better, other than the fact that they're not able to hold you personally liable in cases of fraud and thievery for amounts over $50 (?).
Phishing for spam. (Score:5, Interesting)
when does whack-a-mole end? (Score:3, Interesting)
Many of the phishing emails I have seen tend to use domains that are creatively re-arranged to look like the real thing - something like paypal.com.evilphishingdomain.com to substitute in for the real paypal.com. And of course, the evilphishingdomain.com was willingly sold to a crook by a registrar who themselves are of less-than-stellar reputation.
Just as I've said before regarding spamming domains, if there were better controls on the domain registration process, a lot of this could be reigned in. Sure, some phishing emails do go by IP addresses instead of domain names, but for the large portion of them that use names instead, we can shut down their game quicker by making registrars actually give a hoot about their customers' damage.
The Malware Economy Evolves (slashdot article) [slashdot.org]
Comments on Malware Economy [slashdot.org]
The Economic Basis of Spam (slashdot article) [slashdot.org]
Comments on Economic Basis of Spam [slashdot.org]
My journal article on the registrars' role in keeping spam alive [slashdot.org]
Legal Phishing (Score:5, Interesting)
The end result is the same, some group (in this case retail store executives) is getting billions of dollars in exchange for exactly nothing.
Re:One person's loss is another's gain (Score:3, Interesting)
I know that the tinfoil hat is a popular slashdotter stereotype but...
The credit card companies do *not* want fraud to go away - they need a small amount to justify their cut of every transaction on the planet.
A decade ago, I used to be able to swipe my ATM card (which was nothing more, at that time) at the grocery store or gas pump and - voila - the cost was deducted from my checking account. Then, all of a sudden, my bank decided that they wanted to place an artificial limit on the number of ATM transactions that I could perform every month. Conveniently enough, they introduced the "Visa direct-check card" in this same time period.
The thing was - the ATM transactions didn't cost either party more than the marginal cost of having the system in place. With the Visa (or Mastercard, etc) direct-check, my bank and Visa get to cut each other in on the deal. It is all a big racket.
I know that the posted story is about phishing, but if the credit card companies *really* wanted to eliminate fraud, they could do so through any easily-implementable means. But they won't - because they need fraud to justify their fees.
Re:debit card protection (Score:4, Interesting)
I'm surprised that more banks don't make you retrieve credit/debit cards at local branches. Lots of cameras to help verify who you are. I know that when I want to change my PIN, I have to go to a WAMU branch to do it, whereas I can remember doing it online just a few years ago.
Suntrust Bank Phishing its Own Customers? (Score:1, Interesting)
Later that same day, I get another E-mail from "Suntrust Credentials Delivery", asking me to go to https://www.suntrust.com/completeenrollment [suntrust.com] and enter the security code provided in the E-mail, my COMPLETE Social Security number, and to choose a User ID and Password, which had already been established elsewhere at this point.
I figure this has GOT to be phishing with a real-time connection to Suntrust's account database, or an attempt by Suntrust to determine if I'm an idiot.
I've gotten the E-mail several times since, and even snail mail on Suntrust stationary, imploring me to complete my enrollment. I haven't, and my online access is still working fine. I can't wait for them to shut it down so I can walk into their branch and show them that they are asking me to provide the very info they swore they would never ask me for by E-mail.