June 23, 2004

Phishing I - Penny Black leads to Billion Dollar Loss

Today, the Financial Times leads its InfoTech review with phishing [1]. The FT has new stats: Brightmail reports 25 unique phishing scams per day. Average amount shelled out for 62m emails by corporates that suffer: $500,000. And, 2.4bn emails seen by Brightmail per month - with a claim that they handle 20% of the world's mail. Let's work those figures...

That means 12bn emails per month are scams. If 62m emails cause costs of half a million, then that works out at $0.008 per email. 144bn emails per year makes for ... $1.152 billion dollars paid out every year [2].

In other words, each phishing email is generating losses to business of a penny. Black indeed - nobody has been able to show such a profit model from email, so we can pretty much guarantee that the flood is only just beginning.

(The rest of the article included lots of cartels trying to peddle solutions, and a mention that the IETF things email authentication might help. Fat chance of that, but it did mention one worrying development - phishers are starting to use viral techniques to infect the user's PC with key loggers. That's a very worrying development - as there is no way a program can defeat something that is permitted to invade by the Microsoft operating system.)

[1] The Financial Times, London, 23rd June 2004,
"Gone phishing," FT-IT Review.
[2] Compare and contrast this 1 billion dollar loss to the $5bn claimed by NYT last week:
"Phishing an epidemic, Browsers still snoozing"

Addendum 2004-07-17: One article reports that Phishing will cost financial firms $400m in 2004, and another article, Firms hit hard by identity theft reports:

"While it's difficult to pin down an exact dollar amount lost when identity thieves strike such institutions, Jones said 20 cases that have been proposed for federal prosecution involve $300,000 to $1 million in losses each."

This matches the amount reported in the Texas phishing case, although it refers to identity theft, not phishing (yes, they are not the same).

Addendum 2004-07-27: Amir Herzberg and Ahmad Gbara report in their draft paper :
A study by Gartner Research [L04] found that about two million users gave such information to spoofed web sites, and that "Direct losses from identity theft fraud against phishing attack victims -- including new-account, checking account and credit card account fraud" cost U.S. banks and credit card issuers about $1.2 billion last year.

[L04] Avivah Litan, Phishing Attack Victims Likely Targets for Identity Theft, Gartner FirstTake, FT-22-8873, Gartner Research, 4 May 2004

Addendum 2008-09-03 Fighting Phish, Fakes and Frauds talks about additional support calls costs and users who depart from ecommerce.

Posted by iang at June 23, 2004 10:30 AM | TrackBack

One solution to the keylogger problem would be the same as for Viruses and Worms: install a software that does an integrity check on systems.
Usual PCs running Windows in a productive environment change very little. Once a stable environment is defined, a guardian software (now that's one thing I would like to see integrated into the OS) could stand watch (sic!) over the software base and refuse to a) let other software install at all and b) give software access to devices like the keyboard.

Such software does exist. It is the ultimate A/V software because it does not need any update.

It's a question of the maturity of the organization whether they manage to realize this, whether they manage to establish and enforce a stable production environment and, finally, whether they run Windows with least priviledges (read: as a non-administrative user).

Posted by: Axel at June 24, 2004 10:53 AM