The actual dollar value of potential fraud losses from phishing has been exaggerated, according to research house TowerGroup, which predicts that direct losses attributable to cyber scams will total just $137.1 million globally in 2004.
Research by consultancy Gartner estimates that direct losses from ID fraud against victims of phishing attacks cost US financial services firms about $1.2 billion in 2003, while more recent research from payments association Nacha estimates the monetary losses to victims of phishing incidents to total $500 million. But TowerGroup says the actual dollar value of phishing-related fraud losses is far less than commonly cited.
Beth Robertson, senior analyst, global payments research service, TowerGroup, says: "Phishing attacks can allow criminals to fraudulently obtain consumer data, but they do not as commonly result in an actual fraud event in which accounts are accessed or funds are stolen."
According to the research the number of phishing attacks - which total more than 31,000 globally in 2004 - will rise to over 86,000 by 2005, as the fraudsters begin targeting smaller financial institutions and new merchant/service-provider categories. But Robertson suggests phishing attacks only fool a small fraction of the online population and are, to many consumers, just a nuisance like spam.
TowerGroup says ultimately the total cost of managing phishing scams will be far greater than the cost of direct fraud, but admits that the increasing sophistication of phishing has the potential to knock consumer confidence in the Internet as a channel for the provision financial services.
Separately, New York security software vendor Cyota says key findings from its recently-released anti-phishing service, FraudAction, shows that 59% of phishing attacks are hosted on hijacked computers and two out of three attacks are hosted internationally. On average targeted banks were alerted to phishing attacks four hours prior to a customer call.
Cyota says its anti-phishing system - in use at five top US and UK banks including Barclays - has shut down over 60% of attacks in less than five hours and has managed to reduce the lifespan of some phishing sites to five hours, compared to the industry average of 153 hours (6.4 days) reported by the Anti-Phishing Working Group.
The service, which was launched in January, includes real-time alerts, detailed severity assessments, site shutdown services, forensic work and proprietary counter-measures.
The vendor says one bank client benchmarked phishing-related fraud losses before and after using its service and found that FraudAction lowered its losses by over 50%.