The Phishermen are Reeling in Record Catches

No matter what expert you go to - phishing keeps increasing, both in the number of attacks and the amount of money stolen.

An example of this would be a recent story by Robert McMillian of IDG News Service. His story - quoting Gartner (a computer security research firm) - shows the dollar value has gone from $256.00 to $1244.00 per incident. Gartner is also claiming that the number of people victimized has risen from 1.9 million to 3.5 million. While most of the statistics are going up - there is one that isn't - the number of people recovering their money, which has gone down from 80 percent to 54 percent.

Please note, these are U.S. estimates - and to the best of my knowledge - the U.S. isn't the only one suffering.

McMillian's article also quoted Paul Laudanski (CastleCops and PIRT) as stating:

"Often companies are reluctant to share information for fear that it may lead to lawsuits. "The criminals are working together in this, but it's hard for us to work together."

Link to IDG story, here.

Mr. Laudanski has an excellent point here and it's not only true when it comes to phishing - data breaches and even auction fraud (another two lucrative Internet crime activities), frequently are downplayed and or "not disclosed" to the public.

Gartner estimates that phishing costs the U.S. $2.8 billion, but if you were to listen to the FBI, cyber fraud is costing us about 70 billion. Of course - Phishing isn't the only cybercrime out there.

Tom Young (Computing) quoted FBI special agent Mike Eubanks as saying less than 5 percent of the big "Cyber Crooks" are ever caught.

Agent Eubanks also said:

"Each year in the US, $70bn (£37bn) is lost to cyber fraud, and the problem is getting bigger. Many of the criminals come from Russia, Ukraine and Romania. These people are specialists in malcode, as well as in covering their tracks. They communicate through email and chat forums."

"In a computer crime the data is stale within weeks, and the evidence is in many different areas, personal PCs, corporate databases, all over the world which makes it particularly difficult. The IT industry needs to work with law enforcement, and use it as a selling point. The industry can look to see if it is experiencing crime that police are seeing, and vice versa. We need to put together a network that facilitates the sharing of data to analyze global trends."

Computing story, here.

Until the private sector decides to stop worrying about law suits and bad press - this is going to continue to be a losing battle for the people trying to put a stop it. Maybe the companies - who aren't disclosing information would react sooner if legal action was taken against them for not doing so.

Of course, the only way to do this would be to institute effective laws.

We still don't have an effective federal law that addresses disclosure in these incidents - and some suspect that efforts to do so are being hampered by "special interests."

The last federal version I saw (HR3997) would allow these very companies to decide - whether or not - it was necessary to disclose the information. Last I heard, public outcry stopped this bill from being passed, but it's still out there.

My opinion is that these companies and their special interests have long claimed they reimburse fraud victims. While this is true - there are many who aren't reimbursed - and that statistic (like all the others) is also going up. While some individuals might be getting reimbursed - the cost of all this is being passed to everyone - otherwise these companies would go "broke" pretty quickly.

Another thing to consider is that when a person's personal information is stolen and later used in identity theft, the odds are that no one will know exactly where the information got compromised. This is especially true, when no, or limited disclosure is given after a long internal investigation is the "norm."

And if we are to believe Mr. Laudanski and Special Agent Eubanks -- there is a lack of disclosure -- even to those attempting to go after the "bad guys" behind this activity.

It doesn't make sense not to help the people, who are protecting the public from criminal activity.

Unless something is done that serves the public interest instead of the private interest, the "Phishermen" will continue to reel in record catches and expand their activities.

In fact, they are probably laughing all the way to the bank!