Slashdot Mirror
3.2 Billion Dollars Lost to Phishing in 2007
mrneutron2003 brings us FastSilicon's summary of a Gartner survey which found that 3.2 billion dollars were lost in 2007 to phishing scams. "Gartner's latest survey into the realm of phishing attacks paints a rather bleak picture for 2007, with a record estimated loss of $3.2 Billion (that's Billion, with a B) U.S. Dollars. Overall loss per incident fell (to $886 from $1,244 lost on average in 2006) but the numbers of individuals who fell victim rose quite sharply from 2.3 Million in 2006 to a staggering 3.6 Million. Though online portals Paypal and eBay remained the most spoofed brands, it appears phishers are getting more creative utilizing fake electronic greetings cards, foreign businesses, and charitable organizations in their attacks on consumers. Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley.
But my bank protects my money, right?
For years, I couldn't get a credit card because my credit was terrible, so I had no choice but to sign up for internet porn using my debit card (what else was I supposed to do? go without?)
So, I figure that my debit card # is sitting in a few forgotten databases around the internet. I'm not worried though, because ultimately, my BANK is liable, not me.
We can just phish the phishers and get a lot of money back!
Part of the hardcore faithful who believed in Apple long before it was cool again to do so
Oh, and those of you who don't have Ultra-Slashdot, just send me your e-mail address, your Slashdot password, and your credit card number (just for verification), and I'll be sure to enable it for you...
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
$3,200,000,000 isn't chump change. This is an organized effort.
Are these people that good? Is it that hard to follow the trail?
Do the companies care that their consumers are being duped?
No. Really. Have you ever hit up paypal or ebay regarding a fraudulent transaction? Nothing usually ever comes of it. Why think that they will change now?
It could be worse, it could be Monday.
But don't the criminals still get the money, regardless of which type of account from which they steal it? Why do they care either way about better consumer fraud protection (which I read as "responsibility for unknown charges")? Or is it that credit cards have better preventative measures? I RTFA, but couldn't find where Berkeley talks about why credit cards have better fraud protection.
Also, as an anecdote, my bank/debit card company did very well to prevent an instance of fraud with my account. I'd like to know what credit card companies do so much better, other than the fact that they're not able to hold you personally liable in cases of fraud and thievery for amounts over $50 (?).
Please don't use "umm" or "err" or "erm".
Phishing is like any other business - the fool is parted from his money. It is no different than penis enlargement pills, stock advise or low interest mortgages(do I hear subprime?). Probably the only difference that customer does not get a perceived value, or gets less of it.
I've been saying for a while, phishing is a far bigger problem than spamming. The attach rate is a lot higher, because people think they are responding to a genuine email from Bank of America, the rewards are orders of magnitude higher, because you can take all their money, while the costs are just a bit higher. Sure, its slightly illegal, but to be honest, that clearly has no effect.
in some deceptive/devious attempt to keep the billionerrors betting parlor afloat.
what a surprise?
$3.2 billion. I have to worry about $3.2 billion gross lost due to phishing, and put up with what will amount to billions more in wasted time and energy when Citibank decides to cancel my card while I'm in Europe even though I called them 5 times to let them know exactly where I will be and when. "oh, we thought you gave your number away online."
Let's look at $3.2 billion "lost."
300 million adults in the US x Z = 3,200 million.
Z = $10.66
So we're all fretting over $10.66 each that we lost in a year. Big deal. Nothing to see here. This problem is self resolving.
A few morons will lose a few hundreds, or a few thousand, or maybe even a few tens of thousands. They'll cry. If they are insured against it, they'll get paid back. If they weren't, they're LEARN THEIR LESSON.
Problem solved. No laws needed that aren't already there (notably, fraud and theft). No need for more regulation on banks, or more stern restrictions in banking. Let the idiots lose out a few billion over a few years, and then let them learn not to use sites they haven't visited themselves, with confirmed identity. It's not so hard.
At $10.66 per person, it's a non-issue. Move along.
One long Billion or a short Billion ?
I feel this is largely parallel to the stories and discussions we've had on the economic basis of spam, and the comments I've made on the economics that drive others to cover for the criminals.
Many of the phishing emails I have seen tend to use domains that are creatively re-arranged to look like the real thing - something like paypal.com.evilphishingdomain.com to substitute in for the real paypal.com. And of course, the evilphishingdomain.com was willingly sold to a crook by a registrar who themselves are of less-than-stellar reputation.
Just as I've said before regarding spamming domains, if there were better controls on the domain registration process, a lot of this could be reigned in. Sure, some phishing emails do go by IP addresses instead of domain names, but for the large portion of them that use names instead, we can shut down their game quicker by making registrars actually give a hoot about their customers' damage.
The Malware Economy Evolves (slashdot article)
Comments on Malware Economy
The Economic Basis of Spam (slashdot article)
Comments on Economic Basis of Spam
My journal article on the registrars' role in keeping spam alive
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
so if some twat at your bank gets tricked into divulging your personal information somehow, it's your fault right?
My rich deceased uncle was a fisher, and has left $3.2 BILLION US DOLLARS to me. However, due to the military COUP in my countyr, I am unable to move the money to a safe location withoour YOUR HELP. I am most willing to give you a sizeable piece of my inhertiance, 30% or APPROX $1 BILLION US DOLLARS for your assistance in this matter. If this sounds like a reasonable opportunity for you, PLEASE REPLY TO THIS MESSAGE with your bank account number and routing information.
THANK YOU AND GOD BLESS,
Mr. Johim Nabobbi
Doesn't matter to me, I am insured against all sorts of financial calamity. I also tend not to keep my money in the bank where it makes someone else money, so it's another thing I don't worry too much about.
I can't wrap my mind around it, but it seems that there is some relationship to this phenomenon and that of $7.8 Billion in unused gift cards (just this year!!)
The end result is the same, some group (in this case retail store executives) is getting billions of dollars in exchange for exactly nothing.
while [ 1 ]; do echo -n -e "\xe2\x95\xb$((($RANDOM&1)+1))"; done
The above link is a hoax - its some guy spamming to get traffic to his site, and has nothing to do with the article whatsoever.
Kevin Smith on Prince
Anyone dumb enough to pay for something that is abundantly free deserves whatever they get.
On another note I have an abundant supply of di-hydrogen monoxide I am looking to sell. It is extremely useful for many applications. Regularly priced at up to $4.00 / litre, I am willing to part with it for only $0.50 / litre. Msg me for details!
Comment removed based on user account deletion
My blog
This gives new meaning to the cliché "there's a sucker born every minute".
Dan East
Better known as 318230.
I got that number from the institute-of-pulling-numbers-out-of-my-butt.
Seriously, when they say a number like $1244, where are they getting that?
I want to delete my account but Slashdot doesn't allow it.
Its a simple premise that the customer is at fault. Why would it be the companies job to ensure I didn't walk around passing out my CC#? Its not. Thats why its 3.2 billion $'s GONE.
So basically, -1 troll/offtopic is really slashdots way of saying "I hate that you thought of something before me."
riiiighhhhtt......
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
You mean made!! I'm rich, woo hoo!
Modest doubt is called the beacon of the wise - William Shakespeare
Aha, so let's say you pay $10/month for your "calamity" insurance - which means over the last 5 years you've paid $600 for it and counting. Might as well drop the insurance and learn your $10 lesson with the rest of the "morons".
Who is the real victim of internet phishing? YOU ARE!!!
while [ 1 ]; do echo -n -e "\xe2\x95\xb$((($RANDOM&1)+1))"; done
Why can't they just follow the money?
I know with the technological spoofery it can be difficult to find the origin of the phishing.
With dodgy registrars and others it can be difficult to find the owner of a domain.
But the money has to actually go *somewhere*. So why can't it be followed up at the point somebody moves it somewhere?
$3.2 Billion - that's like 2 euros at today's conversion rates?
Two words: Netcraft Toolbar
To draw from a parallel, there are plenty of rules and restrictions for using HAM radio. Many have been relaxed...many important ones. But the fact is, you still need a license for much of it.
It would, of course, be harmful and limiting to commercial interests for such usage restrictions to be put into place and could even serve as a tool to restrict communications freedom... so maybe in that respect, this is a really really bad idea. But I'm thinking that a license to use the public internet should been required where a "Class C" license would simply require that you pass a basic knowledge test rather like getting a driver's license. If people were required to have even a BASIC amount of knowledge to use the public internet, then perhaps people would be a lot less gullible when it comes to stupid things like Phishing. And truly, I would be very interested in anything that keeps stupid people "out of my way" which includes the public internet and the public streets and highways.
Yeah, I know why these are probably bad ideas or that it couldn't really work... after all, driver licenses do not guarantee safety on the freeways, but I'll bet it goes a long way to improving that safety. The point I'm trying to make is that there seems to be no knowledge barrier to getting on the internet and that's a problem. For many other things in life, having a basic set of skills or a foundation of knowledge is a requirement and it serves the public interests well.
For commercial activities on the internet, there should be some verifiable registry... a "class A" license if you will. A "private" license may or may not be a great idea, but a "commercial license" could lead to a lot of things that could also protect the public from phishing and other fraud. So perhaps 'the right to use the internet is free, but the right to do business is not' might be a good approach. The idea of ".com" ".edu" ".net" and such were supposed to help in that regard but it was quickly abused and washed away... unfortunate.
And I guess most people here can share the feeling that 'phishing only affects the stupid' because quite frankly even the first time I had seen anything like that, my initial reaction was "yeah, right!" And it seems unimaginable that people could be so stupid. I still maintain a level of disbelief in the face of overwhelming evidence to the contrary... so yes, I mentally accept that there are people who are really THAT STUPID, but emotionally, it's difficult to accept because I don't consider myself to be 'above average' in any way and in many ways, 'below average.'
A debit card is more dangerous because ti isn't clear cut. Credit cards, the liability limits are very clear. More or less, because it isn't actually your money involved (you are being loaned the money by the bank) you are liable for anything. With a debit card you can be. It is more discretionary to the bank. With a credit card, you stop a transaction and that's it, it's done. The merchant basically has to take you to court if they want to get their money, which they won't do if they are a fraudster of course. However with a debit card the money has actually been taken from you. The bank can choose to return the money to you, and often will, however they don't have to in various situations.
So there is more risk. It is more up to your bank with a debit card, whereas they just don't have much choice with a credit card. In teh case of a credit card, you are disputing that you owe them money, and they really don't have any ability to take it from you. In the case of a debit card, the money has already been taken, and you are asking for it back.
Aha, so let's say you pay $10/month for your "calamity" insurance - which means over the last 5 years you've paid $600 for it and counting. Might as well drop the insurance and learn your $10 lesson with the rest of the "morons".
Err, no. I only bank with banks that provide extra insurance over their D&O policy. If you are familiar with banking regulations and laws, D&O protects banks from a lot of fraudulent activities that the banks can generally ignore. SOME banks have extra D&O insurance. If they have no D&O-violation payouts, the insurance is VERY cheap per deposit. On $100,000 on deposit, the insurance might be $3 a year if the bank has no history of D&O violations. No big deal. I won't deal with big banks that have large legal teams and no extra D&O insurance, ever. We even surcharge customers for writing us checks from banks without extra D&O insurance. It's a nice way to inform people of the risk they take.
I also don't bank at FDIC-insured banks, since it's also a scam on depositors. No thanks.
Phishing doesn't concern me. Identity theft doesn't concern me. Privacy of records doesn't concern me. You can protect yourself very well already, you just need to spend a little bit of time navigating the laws and regulations. It is those dastardly things that force me to do so, whereas in a more free economic market I'd just hire an insurance company to write a policy covering what I want. Today, I have to deal with the bank's insurer, as private privacy protection insurance has too many loopholes and offer little to no protection. D&O insurance is the only way to deal with these issues.
Reduce, reuse, cycle
3.2 billion-with-a-b dollars? Whoo, that really, really stinks. I wonder where Gartner pulled that number out of?
Sure, from the average citizen's perspective, $10.66 isn't money worth much thought. But, from the average Phisher's perspective, $3.2 billion is a hefty sum. How many Phisher's do you think share the $3.2 billion? Maybe I need to consider a career change...
I recently opened a Suntrust checking account, and soon got a welcome E-mail with the expected "SunTrust will never send unsolicited emails asking clients to provide, update, or verify personal or account information, such as passwords, Social Security Numbers, PINs, credit or Check Card numbers, or other confidential information"
Later that same day, I get another E-mail from "Suntrust Credentials Delivery", asking me to go to https://www.suntrust.com/completeenrollment and enter the security code provided in the E-mail, my COMPLETE Social Security number, and to choose a User ID and Password, which had already been established elsewhere at this point.
I figure this has GOT to be phishing with a real-time connection to Suntrust's account database, or an attempt by Suntrust to determine if I'm an idiot.
I've gotten the E-mail several times since, and even snail mail on Suntrust stationary, imploring me to complete my enrollment. I haven't, and my online access is still working fine. I can't wait for them to shut it down so I can walk into their branch and show them that they are asking me to provide the very info they swore they would never ask me for by E-mail.
for anyone else thats fed up of this guy - this greasemonkey script shows the actual tinyurl destination in the tooltip when you hover over it.
and if you dont want to run greasemonkey directly - convert it into a standalone firefox extension
That is if you trust this figure.... ... Gartner is not the most relaible source, and how did they come up with this estimate, when the victims mostly will not tell people they were scammed, and the banks will not release their losses ...
Puteulanus fenestra mortis
3.2 billion dollars were lost? No. The 3.2 billion dollars aren't really lost. They know where the money is, still. It's just when you go there, there's this new guy holding it.
It's just like when you lose a job, or a girl, right Mr. Goldthwait?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
That is if you trust this figure.... ... Gartner is not the most relaible source, and how did they come up with this estimate, when the victims mostly will not tell people they were scammed, and the banks will not release their losses ...
Still doesn't effect me. The minute I heard about phishing, I sent an email to all my friends and family explaining it in detail. This goes back years ago. So far, not a single person I know, not a single customer I work with (out of thousands of users) and not a single person I've heard of from any friends, family or client has been phished or scammed.
Let's say conservatively that 5000 people are in that circle. I did my job informing them. They protected themselves with simple software available for YEARS. Why should I be penalized because other people did not take the time to learn how to properly and safely use the tools they're using? A guy cuts his fingers off with a circular saw, and from now on I have to buy overly safe circular saws? Someone crashes their car into the median fence on an icy day because they didn't train themselves on how to see and deal with black ice?
Where has personal responsibility gone to? You screw up, you deal with the consequences, you teach your kids, family and friends what happened. If you misuse a service and get defrauded, prepare for it in the future through one of the DOZENS of insurance plans that protect you, or learn what mistake you made. Duh.
Gartner's wording shows a definite bias against those using alternative income techniques. Here's another way to read their summary:
"Gartner's latest survey into the realm of phishing shows increased income for 2007, with record revenue of $3.2 Billion (that's Billion, with a B) U.S. Dollars. Overall income per incident fell (to $886 from $1,244 made on average in 2006) but the numbers of individuals who subscribed rose quite sharply from 2.3 Million in 2006 to an impressive 3.6 Million. Though online portals Paypal and eBay remained the most useful brands, it appears phishing entrepreneurs are getting more creative utilizing fake electronic greetings cards, foreign businesses, and charitable organizations in their portfolio of profit generating techniques. Furthermore these budding corporate executives are increasingly taking interest in debit card and banking credentials rather than credit cards, because the alternative income technique protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley."
</sarcasm>
-USR1
so you're okay with donating $10 to thieves every year? I'd rather give cops an extra $1000/yr than thieves an extra $10.
“Common sense is not so common.” — Voltaire
That's interesting, thanks for the info. I guess the point remains that any money spent on fraud/ID theft insurance is directly attributable to the fraud and ID theft in the first place, and buyers of this insurance should be considered indirect victims of the crime. Perhaps a secondary crime is banks offering overpriced insurance, which is a problem you seem to have avoided.
while [ 1 ]; do echo -n -e "\xe2\x95\xb$((($RANDOM&1)+1))"; done
Assuming that the 3.2 million incidents are from unique users, around one percent of the U.S population isn't able to avoid being victimized by a phishing scam.
The news here isn't "OMG scamming is teh huge!" but that the numbers are so low. My everyday experience would lead me to believe that the number would be significantly higher than 1%. I mean, I run across people every day where I wind up wondering "How does someone that stupid remember to breathe?"
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
that's Billion, with a B
Yea, in case someone was reading this summary to you.
If a number seems too big just divide it by a bigger divisor. Thats an old device usually seen in political ads. I prefer more direct comparisons like the estimate of $25 billion lost to shoplifters, and prehaps $50 billion in what is sometimes called inventory shrinkage, e.g. the TV that fell off the truck.
How do you know if a bank has this insurance or not? And why is FDIC insurance a scam? (I'm asking because I've been following your articles on banking and such. Real eye-opening stuff, that.)
My blog
. . . and that bootleg copy of "Leisure Suit Larry" I found on his Win98 machine last Sunday?
How much do I get for turning him in?
If you have money, and are stupid, you are likely to get phished. While getting phished is unlikely to collectively benefit stupidkind, they DO now collectively have much less money. This should either make them a less attractive target, or at least mitigate the level of damage the phishers can do. I suppose you could say the internet is being "phished out". Pretty soon "a fool and his money are soon parted" will have been applied enough that few of the stupid people have anything left to be phished? Looks like a problem that is destined to take care of itself.
I work for the Department of Redundancy Department.
Gartner sees no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers (which theoretically can be any legitimate Web site or service) have incentives to keep malware from being planted on their Web sites to reach unsuspecting consumers.
In practice, only a small minority of "legitimate Web sites or services" are "infection point providers". We have a little list. Right now, there are 166 major sites known to be providing material support to phishing attacks. There were 171 when The Register covered this last week, so publicity is having some effect. Most sites on the list only stay there for a few days, until somebody fixes the problem. A few sites stay on the list, and may need a clue stick applied.
These are exploits of open redirectors, DSL lines with zombies, sites that let hostile content be uploaded (uploading a hostile ".swf" file to Photobucket, for example), and out and out break-ins. These aren't sites that are cooperating with phishers; they're innocent, but often clueless, victims.
We blacklist the entire second-level domain if there's any phishing activity anywhere in the domain. This is far more effective than blacklisting by URL. Phishing sites change URLs and subdomains constantly now, so blacklisting by URL is as useless as virus scanning by signature. Yes, there's some collateral damage. It's all to sites on that list. We make the list public, and provide links to the actual phishing information (which is from PhishTank.), so major sites can fix their problems.
This part of the problem can be fixed. It just takes a hard-line approach.
How do you know if a bank has this insurance or not? And why is FDIC insurance a scam?
Unfortunately, it takes a lot of research. If you've followed my banking info (take a look at my latest site, Full Reserve Banking where I am theorizing on the actual process of my utopian bank), you know that I don't keep a lot of money in cash-denominated accounts. Almost all of my dollar savings are in some sort of full-reserve structure, such as a laddered CD. I only do this to keep my money partially interest-bearing, but still accessible on a monthly basis.
My favorite banks are generally credit unions, but they're also hard to navigate. More often than not, a simple letter to the bank requesting their D&O policy and underwriters beyond that policy will grant you all you need to know. Read the D&O policy, most of the time it's scary. You'd be surprised what people AREN'T protected against.
The reason that I feel FDIC is a scam is the way it's based. A very, VERY close friend of mine is the General Manager of a very large bank at one of their largest branches. When a bank fails to redeem deposits, FDIC doesn't step in right away. Instead, other member-banks within the system (meaning, competitor banks generally) will bail out the failed bank. The FDIC will likely never make a payment. There are historical precedents of FDIC bailouts, but they're really complicated.
The one bailout I investigated thoroughly was incredibly complicated. From my recollection, it went like this:
1. Depositors felt bank was unstable (all fractional reserve banks are illiquid, of course)
2. Depositors withdrew deposits (savings, checking, CDs, etc)
3. Bank ran out of funds.
4. Federal Reserve would not loan bank capital due to bank not having assets to borrow against.
5. Bank ruptured (bankruptcy).
6. FDIC stepped in, competitor banks loaned the bank money against their own reserves.
7. Bank still ruptured more.
8. FDIC stepped in, and made bank re-capitalize assets. New recapitalization allowed a private company to purchase the banks remaining illiquid assets at well below market value. FDIC then used taxpayer dollars to redeem the rest of the depositors.
So what we have here is competitors forced to start the bailout process. That failed. Then, the FDIC required that the bank price up all their assets (anything they've loaned against, buildings, etc). Let's say that the bank owed depositors $1 billion. The bank had $60 million in cash, and $800 million in assets. Savers want their $1 billion. The bank pays out the $60 million it has, and then has to sell assets to other banks, or call in the loans. They are still short, so the FDIC has other banks pay out depositors, who then increase their demand for money. Now, $100 million has been paid out, leaving $900 million in receipts, and still only $800 million in illiquid assets. Mr. Insider says he'll pay $600 million for those assets, and there are rarely big bids for those assets. FDIC requires failed bank to sell the $800m in assets for $600m, and uses taxpayer funds to pay the other $300m to depositors.
It's a scam. There's no insurance money set-aside really. The fractional reserve ratio is abnormally low, but the banks believe that depositors won't rush to withdraw money at the same time. Of course, that is starting to happen. And instead of finding a buyer for the bank's assets, no one comes to the table because many of those assets are falling in value fast (think, housing bubble crash).
It's an ugly situation. I wrote it up simpler than reality, but you get the gist of the situation.
I _have_ found a relatively full reserve bank, in the Middle East, in a country that we're still allowed to send money to. Their actual reserves are around 80%, but it's better than 9% or 6% or whatever the FedRes requires now. The risk is that the bank's chartering country may be considered an enemy in the future, which means the assets wou
The credit card companies simply saw that we were dumb enough to rent said money from the banks and wondered if we would be so dumb that we'd pay them a fee on every single transaction, and basically they were right, we are. We go out every day and work our arses off for 8 hours and then hand the money we've earned over to the banks and credit card companies, quite happily. You see, the average person is as dumb as a post.
I can't honestly blame them, the stupid largely deserve what they get.
Deleted
It's so easy to say that the people that fall for these things are morons, that they are responsible, that $10 isn't much money on average. Now imagine that your grandparent falls for one of these scams and loses $10,000 of their retirement money. Or your spouse falls for one and ends up destroying your credit for the next 10 years. Yes, people need to pay attention and yes the average person should spot a phishing email. But blaming the loses on the victims is like saying that the girl that got raped deserved it because she was dressed slutty and shouldn't have been in that part of town. But, I guess now she knows not to go there again, so no worries.
Just for grins I looked to see if any unlucky bloke would start getting demand letters in the mail. Google maps returned;
"Your search for 4882 Prudence Street, near Farmington Hills, MI 48335 did not match any locations.
Suggestions:
* Make sure all words are spelled correctly.
* Try different keywords.
* Try more general keywords."
This BS detector might be useful for sellers who get a ship to which isn't the same as the billing address.
The truth shall set you free!
Not just because of Gartner's reputation, but losses are always grossly exaggerated and often based on intangibles like potential profit. Not to mention that this whole survey thing is a a guesstimate.
Your typical fear-mongering.
All that money wasn't lost. It just got moved around!
Question everything
And yeah, the information that fakename generates makes no attempt to be valid - its just for testing databases etc, (and for me to use when 'mandatory fields' are presented on ridiculous webforms (I'm looking at you Solaris)). From the fakename generator FAQ:
... to whoever posted the "The Last Boy Scout" reference in the tags. ("That's nine zeroes, son!") I love the twangy way that guy delivered that line. Makes me want to watch it tonight. :-)
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Stop being stupid.
Thanks.
- chrish