Digital Transactions Authoritative, insightful and timely information for payments professionals
Recent survey statistics document a continuing rise in both phishing sites and attacks, and underline the toll such security problems are taking on consumer confidence when conducting online transactions. In its latest report, the Anti-Phishing Working Group says the number of unique Web sites engaged in phishing fraud jumped to 1,142 in October, more than double the 543 found the previous month. The average monthly rate of growth in phishing sites is 25% since July, the group said. Meanwhile, the number of new, unique e-mail messages reported to the association as phishes hit 6,597 last month, up an average of 36% monthly since July's 2,625. The group, which began tracking phishing trends a year ago, now measures the extent of phishing by counting the number of unique sites perpetrating the fraud, or “baiting” sites, rather than by the number of unique e-mails. In phishing attacks, criminals try to collect consumers' passwords, PINs, and other authentication data by tricking them into entering the data on Web sites that spoof actual bank and retail sites. The fraudsters initiate the attack by sending out millions of e-mails to consumers that look as if they came from banks and retailers the recipients may do business with. The Anti-Phishing Working Group says the number of baiting sites spiked Oct. 5, perhaps as a result of a “toolkit” or some form of automation now available to fraudsters that eases replication of attacks against a number of brands simultaneously. The U.S. still hosts most of the baiting sites, at 29%, but China, at 16%, Korea (9%) and Russia (8%), are catching up. Meanwhile, the number of sites hosted on hijacked broadband computers, the group says, is now more than 50%. The number of commercial brands targeted has reached 117 over the past year, with 42 affected in October. Most of the attacks concentrate on half a dozen well-known companies, with most of these in the financial-services industry. “While there is still a fairly high concentration of activity involving a few well-known brands, the specific high-profile brands shift from month to month and consumers should not decrease their level of awareness based on the firms with which they specifically conduct business online,” the group cautions. The report no longer lists the brands affected, but in the past names like PayPal, Visa, Citibank, and eBay typically headed the list. The way in which such fraud erodes consumer trust?and hence consumers' willingness to conduct online transactions?emerges in a separate study released by Entrust Inc., an Addison, Texas-based security software company. The study, conducted over five days in August and based on 2,000 completed surveys, could be especially worrisome to banks trying to launch or expand bill payment and other online banking services. Some 85% of respondents say they conduct some form of e-commerce, but only 59% bank online. Fully 80% say they are concerned about someone stealing their online identities and using them to loot their bank accounts. Of those who connect to the Internet but don't bank online, 72% said they would likely use online banking if “identity security” were improved. Of those who do bank online, 90% said they would use more, higher-value services with better protection. Some 22% said they would be very likely to switch banks for better identity protection. When asked about so-called two-factor authentication?the use of an additional identifier or technology, beyond a password, to secure transactions?78% replied they would be willing to use a two-factor technique to access online banking. Some two-factor methods, such as those incorporating digital certificates, have been tried sporadically by banks but are often dismissed as too cumbersome for consumers. Most of the respondents to the Entrust survey were in North America. The survey was conducted by Greenfield Online, and had a margin of error of plus or minus 2.2%.
