-
USA (7 banks; 82 incidents)
-
UK (6 banks; 8 incidents)
-
Australia & New Zealand (5 banks; 16 incidents)
-
Canada (2 banks; 2 incidents)
-
Spain (1 bank; 1 incident)
-
Hong Kong and Singapore (1 bank; 1 incident)
-
Latvia (1 bank; 1 incident)
I have to say I think that’s an underestimate. And it’s not quite clear from mi2g’s release as to whether these are successful attempts, or just attempts. Given banks’ reluctance to admit to breaches, I’d guess it’s the latter. And mi2g point out that it’s not just banks that have been attacked: The Federal Bureau of Investigation (FBI) to eCommerce/information portals and their associated payment systems have all been hit. Mi2g counts 90 unique attacks on eBay.
Mi2g say such attacks are getting more, rather than less, successful: “Phishing scams’ success rate has risen from 0.1% on average to 0.5% in the last six months as the techniques have become more sophisticated,” it says. This would mean thousands of victims and big headaches for banks: “In some instances the genuine web site has to be made inoperable for several hours or even days whilst the targeted bank investigates the extent of the financial fraud and related losses,” says mi2g.
Claims by mi2g have not always been taken seriously, particularly their estimates of damage. In this case, mi2g reckon that “worldwide economic damage for 2003 from phishing scams is estimated to have been between US $13.5 billion and $16.4 billion… The damage for 2004 has already crossed $8.9 billion in the first two months of the year. ” I know they have some sort of formula for this, but as others have pointed out, these estimates seem to be more designed for grabbing headlines than serious analysis.
That said, phishing is a problem, and I would agree that online banking is going to have to add layers of security to avoid more breaches. But will customers accept that? If online banking gets too fiddly, will folk just give up? Or switch to something else?