Press Release

STAMFORD, Conn., April 14, 2009 View All Press Releases

Gartner Says Number of Phishing Attacks on U.S. Consumers Increased 40 Percent in 2008

Fraudsters Focus on Higher-Volume and Lower-Value Phishing Attacks

More than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008, a 39.8 percent increase over the number of victims a year earlier, according to Gartner, Inc.

In September of 2008, Gartner surveyed 3,985 U.S. online adults to determine the number of U.S. adults who have been victimized by phishing attacks, as well as the methods being used by criminals to execute these crimes.

The survey uncovered a trend toward higher-volume and lower-value attacks. Although the number of consumers who lost money to phishing attacks increased in 2008, average losses decreased. The average consumer loss in 2008 per phishing incident was $351, a 60 percent decrease from the year before.

Phishing attacks continue to exact financial damage on consumers and financial institutions. Consumers recovered 56 percent of their losses, meaning that most fraud costs were borne by consumer banks, PayPal and other financial service providers.

"The survey findings underline the fact that the war against phishing is far from over," said Avivah Litan, vice president and distinguished analyst at Gartner. "Despite the rollout of a wide range of security measures designed to stem phishing, the truth is that many of them are not yet adopted widely enough to reverse this tide and, in many cases, their effectiveness is only partial."

Ms. Litan said that measures targeted at stopping phishing include phishing e-mail blocking, safe browser surfing features, the use of site authentication to assure users they are on a legitimate Web site, the detection of phishing attacks, and the take-down of the criminal sites servicing those attacks.

Gartner recommends that enterprises continue to deploy and improve security solutions that protect accounts and customers against attacks. Enterprises that are custodians of customer accounts should also consider site authentication or assurance to confirm to a customer that he or she is on a legitimate Web site and not a spoof site. In addition, antiphishing services can proactively look for phishing attacks against named enterprises before they are launched and take them down on detection.

Enterprises providing e-mail services should investigate "secure" e-mail gateways that can block phishing e-mails from reaching customer in-boxes using a variety of methods from e-mail analysis to accepting only properly signed digital e-mail. End users can also increase their own protection by using safe-browsing tools that can provide a warning when accessing a known or suspected phishing site.

"None of the solutions are foolproof, however, and determined crooks will manage to get around them, so a layered security approach, involving all parties, will yield the best results," said Ms. Litan. "This strategy must include continuous fraud detection, stronger user authentication, and out-of-band transaction verification for registered users."

Gartner defines phishing attacks as when  hackers or "cyberthieves" portray themselves to users as a trusted service provider, but in fact the phisher seeks to steal the user's account information, such as credit card number, home address and phone number, or credentials, such as user IDs and passwords. Phishing is typically accomplished when the hacker sends someone an e-mail with a link inside and an invitation to go to a Web site, which the thief portrays as a well-known and/or trustworthy site.

Additional information is available in the Gartner report "The War on Phishing Is Far From Over." The report is available on Gartner's Web site at

Additional information and practical advice on identity access management will be presented at the Gartner Information Security Summit, taking place from June 28 through July 1 in Washington, D.C. The Summit hits the critical spot between strategic planning and tactical advice. Gartner analysts, industry experts and IT security practitioners deliver unbiased, realistic analysis of the current state of information security, as well as an independent vision of how things will evolve over the long term. For complete event details, please visit the Gartner Security & Risk Management Summit. Members of the media can register by contacting Christy Pettey at

About Gartner

Gartner, Inc. (NYSE: IT), is the world's leading research and advisory company and a member of the S&P 500. We equip business leaders with indispensable insights, advice and tools to achieve their mission-critical priorities and build the successful organizations of tomorrow.

Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We're trusted as an objective resource and critical partner by more than 15,000 organizations in more than 100 countries—across all major functions, in every industry and enterprise size.

To learn more about how we help decision makers fuel the future of business, visit

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.