Press Release

STAMFORD, Conn., November 9, 2006 View All Press Releases

Gartner Says Number of Phishing E-Mails Sent to U.S. Adults Nearly Doubles in Just Two Years

Thieves Are Targeting Wealthier Consumers While Impersonating Banks Less Often But Leveraging Less-Conventional Brands and Methods to Pull Off Their Scams

The number of U.S. adults that are sure or think that they have received phishing e-mails has nearly doubled since 2004, according to a survey by Gartner, Inc. Financial losses stemming from phishing attacks have risen to more than $2.8 billion in 2006.

"The good news is that, this year, fewer people think they lost money to phishers, but when they did lose, they lost more," said Avivah Litan, vice president and distinguished analyst at Gartner. "The average loss per victim nearly quintupled between 2005 and 2006, and the thieves seem to be targeting higher-income earners who are also more likely to transact on the Internet."

According to the survey, approximately 109 million U.S. adults have received phishing e-mail attacks, up from 57 million U.S. adults in 2004. The average loss per victim has grown from $257 to $1,244 per victim in 2006. The average amount of money consumers recovered from phishing attacks in 2005 was 80%, but in 2006, recovery amounts dropped to 54%.

High-income adults earning more than $100,000 per year are more heavily attacked. This group reported receiving an average of 112 phishing e-mails in the past year versus 74 e-mails per consumers across all income brackets. The high-income adults lost on average $4,362, almost four times as much as other victims.

Phishing e-mails that reach consumers are impersonating banks less often, and other brands, such as PayPal and eBay, more often. Banks and credit card company refunds to consumers who lost money because of phishing attacks are declining as a percentage of total refunds, while refunds from non-financial services companies and retailers are growing as a percentage of total funds.

"Cyber-criminals are starting to shift away from attacking online banks directly, and they are leveraging less conventional brands and/or using hard to detect social engineering methods to reap financial gains," Ms. Litan said. "Countermeasures such as phishing detection and take-down services deployed by banks, Internet service providers (ISPs) and other service providers are obviously not sufficiently widespread or effective."

According to the Gartner survey of 5,000 online adults in August 2006, an estimated 24.4 million Americans have clicked on a phishing e-mail in 2006, up from approximately 11.9 million in 2005, while 3.5 million have given sensitive information to the phishers, up from 1.9 million adults last year.

Recent browser upgrades (such as with Microsoft’s Internet Explorer and Mozilla’s Firefox) will try and flag known phishing attack sites to consumers, but Gartner analysts said many attacks could still slip by.

"Many of the browser upgrades are still incomplete and immature in terms of protections afforded," Ms. Litan said. "For at least two more years, phishing attacks will continue to increase since it’s still a lucrative business for the perpetrators."

The fear of phishing attacks is having a dramatic impact on non-solicited e-mails, as more adults delete e-mails if they don’t know the person sending them. "Among respondents who say their trust in e-mail has been adversely affected by the recent spate of security-related incidents, 85% delete e-mails they don’t trust without opening them first."

"The anti-phishing measures some enterprises have put in place to protect their brand and their consumers are not working," Ms. Litan said. "Phishers are moving from site to site to launch their attacks more quickly than ever. The average life of phishing sites has gone from one week a couple years ago to about one hour in 2006. Within a year or so, phishing sites may be user specific — that is a single site will be set up to launch a phishing attack against a single user. It’s no wonder the detection services can’t keep up with these rapid criminal movements."

Ms. Litan will provide more detailed analysis at the Gartner Identity & Access Management Summit, November 29-December 1 at the JW Marriott Las Vegas Resort. The inaugural Gartner Identity & Access Management Summit is designed to help organizations address the growing exposure that identity and access management (IAM) inefficiencies and lapses create. The Summit’s three research tracks focus on the business impact of IAM, the practical applications IAM organizations are using today, and the future direction of IAM technologies. Additional information is available at Members of the media can register for a press pass by contacting

About Gartner

Gartner, Inc. (NYSE: IT), is the world's leading research and advisory company and a member of the S&P 500. We equip business leaders with indispensable insights, advice and tools to achieve their mission-critical priorities and build the successful organizations of tomorrow.

Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We're trusted as an objective resource and critical partner by more than 15,000 organizations in more than 100 countries—across all major functions, in every industry and enterprise size.

To learn more about how we help decision makers fuel the future of business, visit

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.