Source:
Tumbleweed Communications Corp. (NASDAQ:TMWD) and the Anti-Phishing Working Group today released the "Phishing Attack Trends Report" for May 2004, an analysis of phishing scam attacks submitted to www.anti-phishing.org, the Internet's most comprehensive archive of email fraud and phishing attacks. While this analysis shows that the numbers of unique attacks grew by only 6% in May, it also reveals that over 95% of attacks rely on the use of forged 'from' addresses to hide the identity of the scammers and evade spam filters. This trend underscores the utility of email sender authentication technologies as a critical step toward reducing the effectiveness of phishing campaigns by preventing fraudulent emails from reaching inboxes.
Several email authentication standards have been proposed by members of the Anti-Phishing Working Group, and while the specifics vary, each aims to prevent messages with forged addresses from reaching email users. Once deployed by ISPs, email authentication promises to reduce the number of phishing attacks reaching inboxes, with the added bonus of stopping most spam and the majority of e-mail based worms and viruses.
Phishing attacks use 'spoofed' e-mails and fraudulent websites to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers, ISPs and credit card companies, phishers are able to convince up to 5% of recipients to respond to them. The result of these scams is that consumers suffer credit card fraud, identity theft, and financial loss.
In May, there were 1197 new, unique phishing attacks reported to the Anti-Phishing Working Group. This was a relatively minor 6% increase over the number of attacks reported in April (1125). The average number of phishing attacks per day in May was 38.6 (up slightly from the 37.5 per day for April). Analyzing this information on a weekly basis shows two weeks that averaged over 300 attacks, but a significant dip during the week of May 29. This dip may be due to the Labor Day holiday in the U.S., and a resultant reduction in reported phishing attacks. Highlights from the Anti-Phishing Working Group's May report include:
- 95% of phishing and email fraud attacks used spoofed or forged 'from' addresses.
- The company most-targeted by phishing attacks in May was Citibank with 370 unique attacks. This is down from 475 in April.
- Attacks against U.S. Bank surged 170%.
- Attacks against AOL doubled.
- The most-targeted industry sector was Financial Services with 848 unique attacks.
"One Achilles heel of phishing, and other related e-mail threats like spam and viruses, is the reliance on forged 'from' addresses to hide the sender's identity," said Dave Jevans, Chairman of the Anti-Phishing Working Group and Senior Vice President at Tumbleweed Communications. "The problem is that for the most part, email servers haven't cared where an email message claims to be from - they'll accept anything. Once ISPs start to verify the source of messages, a lot of the bad things in email, including phishing, will stop. Not many scammers will use their personal email accounts to launch a crime wave."