3.2 Billion Dollars Lost to Phishing in 2007

mrneutron2003 brings us FastSilicon's summary of a Gartner survey which found that 3.2 billion dollars were lost in 2007 to phishing scams. "Gartner's latest survey into the realm of phishing attacks paints a rather bleak picture for 2007, with a record estimated loss of $3.2 Billion (that's Billion, with a B) U.S. Dollars. Overall loss per incident fell (to $886 from $1,244 lost on average in 2006) but the numbers of individuals who fell victim rose quite sharply from 2.3 Million in 2006 to a staggering 3.6 Million. Though online portals Paypal and eBay remained the most spoofed brands, it appears phishers are getting more creative utilizing fake electronic greetings cards, foreign businesses, and charitable organizations in their attacks on consumers. Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley.

This was already covered on Ultra-Slashdot

[Nova+Express]

Really, all this has been covered on Ultra-Slashdot in much greater detail.

Oh, and those of you who don't have Ultra-Slashdot, just send me your e-mail address, your Slashdot password, and your credit card number (just for verification), and I'll be sure to enable it for you...

Re:This was already covered on Ultra-Slashdot

[russ1337]

Really, all this has been covered on Ultra-Slashdot in much greater detail.

Oh, and those of you who don't have Ultra-Slashdot, just send me your e-mail address, your Slashdot password, and your credit card number (just for verification), and I'll be sure to enable it for you..

Email Address: Raymond.A.Carnine@dodgit.com,

Slashdot password is: "imFishingYouberleethaxors"

Visa: 4916 7995 1982 5659
Expires: 5/2008

oh, and you may need this: SSN: 381-80-6521


Thanks!!!!

Raymond A. Carnine
4882 Prudence Street
Farmington Hills, MI 48335

One person's loss is another's gain

[lecithin]

$3,200,000,000 isn't chump change. This is an organized effort.

Are these people that good? Is it that hard to follow the trail?

Do the companies care that their consumers are being duped?

No. Really. Have you ever hit up paypal or ebay regarding a fraudulent transaction? Nothing usually ever comes of it. Why think that they will change now?

Re:One person's loss is another's gain

[tha_mink]

No. Really. Have you ever hit up paypal or ebay regarding a fraudulent transaction? Nothing usually ever comes of it. Why think that they will change now? No, it's just that people are THAT stupid. If you're stupid enough to follow these phishing deals, then you get what you deserve. It's akin to walking down to and asking people where you can buy a nice and handing them your wallet. If you don't know HOW to distinguish genuine emails from from a phishing attack, then you should put your credit card away, step away from the computer, get in your car, and go shopping at the mall like the olden days. To an extent, the banks and businesses can do a better job, but it falls on the consumer to act responsibly with their money and information.

Re:One person's loss is another's gain

[dsginter]

Do the companies care that their consumers are being duped

I know that the tinfoil hat is a popular slashdotter stereotype but...

The credit card companies do *not* want fraud to go away - they need a small amount to justify their cut of every transaction on the planet.

A decade ago, I used to be able to swipe my ATM card (which was nothing more, at that time) at the grocery store or gas pump and - voila - the cost was deducted from my checking account. Then, all of a sudden, my bank decided that they wanted to place an artificial limit on the number of ATM transactions that I could perform every month. Conveniently enough, they introduced the "Visa direct-check card" in this same time period.

The thing was - the ATM transactions didn't cost either party more than the marginal cost of having the system in place. With the Visa (or Mastercard, etc) direct-check, my bank and Visa get to cut each other in on the deal. It is all a big racket.

I know that the posted story is about phishing, but if the credit card companies *really* wanted to eliminate fraud, they could do so through any easily-implementable means. But they won't - because they need fraud to justify their fees.

Why would criminals care about the source?

[Foolicious]

Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley

But don't the criminals still get the money, regardless of which type of account from which they steal it? Why do they care either way about better consumer fraud protection (which I read as "responsibility for unknown charges")? Or is it that credit cards have better preventative measures? I RTFA, but couldn't find where Berkeley talks about why credit cards have better fraud protection.

Also, as an anecdote, my bank/debit card company did very well to prevent an instance of fraud with my account. I'd like to know what credit card companies do so much better, other than the fact that they're not able to hold you personally liable in cases of fraud and thievery for amounts over $50 (?).

Re:Why would criminals care about the source?

[tlhIngan]

Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley

But don't the criminals still get the money, regardless of which type of account from which they steal it? Why do they care either way about better consumer fraud protection (which I read as "responsibility for unknown charges")? Or is it that credit cards have better preventative measures? I RTFA, but couldn't find where Berkeley talks about why credit cards have better fraud protection.

Also, as an anecdote, my bank/debit card company did very well to prevent an instance of fraud with my account. I'd like to know what credit card companies do so much better, other than the fact that they're not able to hold you personally liable in cases of fraud and thievery for amounts over $50 (?).

The reason credit cards are better is because the protections they have are enshrined in law. Debit card fraud protection isn't - it's only between you and your bank. That's where the $50 protection comes in - if your credit card is stolen, you're only responsible for the first $50 used while it was stolen (even if you didn't realize until later). Now, some banks actually make it "no liability" and eat the $50 as well, but like debit cards, that's between you and your bank.

Now, imagine your debit card is stolen (or more commonly, duplicated with information stored from illicit debit machines). As far as your bank is concerned, you've been withdrawing the money as normal.

Finally, consider the illicit charge that happens. With a credit card, the money is the bank's (or Visa/Mastercard/Amex/etc) money. They will lean on the merchant to offer proof that you made the transaction (hence the little credit card slip you sign), since that's a contract. If not, they take the money from the merchant and reimburse you.

Now try a debit card. The bank can't tell that it wasn't you that made the trasaction. In fact, it could be you trying to scam free money off the bank. All the bank has is a record that your card was used to withdraw cash from your account (your money) that you claim you never withdrew.

This should be a call for better debit card security, but until then, proving you didn't take your money is a lot harder than having the merchant prove you did make the purchase. Since it's not the bank's money, they can investigate as long as they like, while you're out of the money for the duration. Now some banks may offer cardholder services that make it similar to credit card in protection, but they don't have to. (A more practical aspect - if your credit card was used illicitly, you're not out the money immediately, so you can sustain yourself. If your debit card was used illicitly, you're out the cash until your bank refunds it. This can mean not having money for food and shelter...)

Just FYI - the signature on the back of your credit card is used to indicate that you agree to the cardholder's agreement. It is not, and should not, be used as a signature reference. That slip you sign is a contract saying you will pay the amount shown as per the cardholder's agreement (which your signature on the card verifies). Thus, "Check ID" is not a valid signature on the card, and the store is right in refusing your card since you technically did not agree to the terms of your cardholder agreement (which naturally includes stuff like paying back the money you borrowed!). The cashier, unless they are trained in handwriting analysis, can't really compare signatures (and shouldn't). They can do a quick verification to make sure that you're not playing games, but that's about it.

Stores that tend to attract a lot of fraudulent activity may request ID, though.

It's also why e-commerce is slightly more vulnerable to credit card

Re:debit card protection

[dada21]

Get yourself a disposable credit "debit" card from any discount store (Wal*Greens, etc). GreenDot is very popular with the black market types. You can even use it on gambling sites, supposedly.

The best part of the disposable cards is that you can cap the spending without fees. If you're buying something for $500, put $500 on it, and don't refill it. A few times a year they have deals where the cards are free as is the first deposit, so pick up a few grand worth of them at various levels and you're set.

From what I know of the people who use them alot (google Rosemont, Illinois), they're also a great way to exchange money without anyone tracking it. Just what I've heard, though.

Phishing for spam.

[Ochu]

I've been saying for a while, phishing is a far bigger problem than spamming. The attach rate is a lot higher, because people think they are responding to a genuine email from Bank of America, the rewards are orders of magnitude higher, because you can take all their money, while the costs are just a bit higher. Sure, its slightly illegal, but to be honest, that clearly has no effect.

Re:debit card protection

[CastrTroy]

That all depends on your bank. I got my debit card duplicated and somebody took $500 out of my account. The bank called me up before I even noticed the money was missing. They asked if I made the charge. I said I didn't, and the money was back in my account within 5 days. I had to go down to my local branch and pick up a new debit card, but there was very little trouble on my part. Just as a reference, my bank is TD Canada Trust.

when does whack-a-mole end?

[damn_registrars]

I feel this is largely parallel to the stories and discussions we've had on the economic basis of spam, and the comments I've made on the economics that drive others to cover for the criminals.

Many of the phishing emails I have seen tend to use domains that are creatively re-arranged to look like the real thing - something like paypal.com.evilphishingdomain.com to substitute in for the real paypal.com. And of course, the evilphishingdomain.com was willingly sold to a crook by a registrar who themselves are of less-than-stellar reputation.

Just as I've said before regarding spamming domains, if there were better controls on the domain registration process, a lot of this could be reigned in. Sure, some phishing emails do go by IP addresses instead of domain names, but for the large portion of them that use names instead, we can shut down their game quicker by making registrars actually give a hoot about their customers' damage.

The Malware Economy Evolves (slashdot article)
Comments on Malware Economy
The Economic Basis of Spam (slashdot article)
Comments on Economic Basis of Spam
My journal article on the registrars' role in keeping spam alive

Legal Phishing

[jomama717]

I can't wrap my mind around it, but it seems that there is some relationship to this phenomenon and that of $7.8 Billion in unused gift cards (just this year!!)

The end result is the same, some group (in this case retail store executives) is getting billions of dollars in exchange for exactly nothing.

You pay for internet porn???

[brunes69]

Anyone dumb enough to pay for something that is abundantly free deserves whatever they get.

On another note I have an abundant supply of di-hydrogen monoxide I am looking to sell. It is extremely useful for many applications. Regularly priced at up to $4.00 / litre, I am willing to part with it for only $0.50 / litre. Msg me for details!

Re:debit card protection

[Billosaur]

I'm surprised that more banks don't make you retrieve credit/debit cards at local branches. Lots of cameras to help verify who you are. I know that when I want to change my PIN, I have to go to a WAMU branch to do it, whereas I can remember doing it online just a few years ago.

Re:How is it lost?

[FatMacDaddy]

Actually, I would say that it is quite a bit different. A fool might be duped into believing the sales pitch of enlargement pills or that a Nigerian prince can't find anyone to accept money, but the point of phishing is to establish a false sense of security where the victim believes they're dealing with a secure, reputable business - usually one where they already have a solid relationship. I can see a lot of people falling for well-designed, sophisticated phishing attacks.

Re:Wow, that's a lot of money! NOT.

[JasterBobaMereel]

That is if you trust this figure.... ... Gartner is not the most relaible source, and how did they come up with this estimate, when the victims mostly will not tell people they were scammed, and the banks will not release their losses ...

How about some unbiased journalism?

[Mike+Morgan]

Gartner's wording shows a definite bias against those using alternative income techniques. Here's another way to read their summary:

"Gartner's latest survey into the realm of phishing shows increased income for 2007, with record revenue of $3.2 Billion (that's Billion, with a B) U.S. Dollars. Overall income per incident fell (to $886 from $1,244 made on average in 2006) but the numbers of individuals who subscribed rose quite sharply from 2.3 Million in 2006 to an impressive 3.6 Million. Though online portals Paypal and eBay remained the most useful brands, it appears phishing entrepreneurs are getting more creative utilizing fake electronic greetings cards, foreign businesses, and charitable organizations in their portfolio of profit generating techniques. Furthermore these budding corporate executives are increasingly taking interest in debit card and banking credentials rather than credit cards, because the alternative income technique protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley."

</sarcasm>

Re:debit card protection

[beckerist]

Hmmm now you have me thinking. I've had 2 banks where this happened to me. Actually, no, a bank and a credit union. The Bank gave me a HUGE hassle, I'd purchased a few things online in the months before and then over a 2 day period someone with my card number purchased over 800$ worth of things online. They never called me, I had to call my bank on it. They made me pay for a replacement card and ALMOST had me convinced that I had to buy some sort of insurance if I wanted to get reimbursed (scammy, eh?) Turns out the insurance isn't mandatory, it's just like a VIP club for those who apparently have this happen to them often.

The Credit Union? They called me, they stopped my card instantly, they sent me a new one (I just had to fax my signature.) They even opened a police report in L.A. where the perp lived (dumbass used the number to buy gas in a few different stations.)

He was never caught but let's just say the bank no longer has my business.