According to a survey of more than 4500 online US adults, around 3.6 million US adults fell victim and lost money in phishing attacks in the 12 months ending in August 2007, up from 2.3 million adults the year before.

Phishing attacks were more successful in 2007 than in the previous two years. Of the number consumers who received phishing e-mails in 2007, 3.3% say they lost money because of the attack, compared with 2.3% that lost money in 2006 and 2.9% that did so in 2005, says Gartner.

Gartner says debit cards have emerged as the financial instrument targeted most by fraudsters in this year's study, which shows that criminals are targeting areas "where fraud detection is weaker than it is with credit card accounts". According to the survey, of the consumers that lost money to phishing attacks, 47% said a debit or cheque card had been the payment method used when they lost money or had unauthorised charges made on accounts. This was followed by 32% of respondents that listed a credit card as the payment method and 24% who listed a bank account as the method.

The average dollar loss per incident declined to $886 in 2006, from $1,244 lost on average in 2006 (with a median loss of $200 in 2007). But as there were more victims, overall around $3.2 billion was lost to phishing crimes in 2007.

On a more positive note, the amounts that consumers were able to recover increased, with some 1.6 million adults recovered about 64% of losses in 2007, up from 2006 when 1.5 million adults managed to recover 54% of losses.

PayPal and eBay continue to be the most-spoofed brands, but phishing attacks increasingly come in different guises and impersonate electronic greeting cards, charities and foreign businesses, says Gartner.

Avivah Litan, VP and distinguished analyst at Gartner, says phishing attacks are becoming more surreptitious but anti-phishing detection and prevention applications are still not utilised widely enough to stop the damage. Around 11% of online adults say they don't use any security software - such as antivirus or anti-spyware products - on their desktop, and another 45% only use what they can get for free.

"Customer-facing organisations cannot expect their customers' desktops to be protected from malicious code, nor from e-mail and/or advertising traps that lure innocent consumers to Web sites that turn out to be infection points," she adds.

Gartner also says that bank regulators appear to be "in the dark" when it comes to measuring damage from phishing attacks. Gartner, along with the University of California at Berkeley, analysed data on fraud attacks supplied the Federal Deposit Insurance Corporation and found the information to be "spotty, unreliable and unstructured data". Litan says just 451 unique incidents were reported between 27 January 2005 and 30 May 30 but "the data quality was so poor that it was impossible to draw any conclusions from it other than that the regulatory reporting on fraud attacks is severely lacking".

"Regulators must get a better handle on the problem through consistent and timely bank reporting on their fraud incidents and losses," she adds.

The consultancy warns that phishing and malware attacks will continue to increase through 2009 because it's still a lucrative business. Advertising networks will be used to deliver up to 30% of malware that lands on consumer desktops, says Gartner.

E-mail providers, advertising networks and other "infection point" providers need to have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, says Gartner.