Online thieves are luring a growing number of Internet banking customers to fake Web sites in so-called “phishing” schemes intended to steal account information.
Phishing attacks, which rely on fraudulent e-mails to beckon people to seemingly authentic Web sites, surged 19 percent in June, according to a report to be released today.
The fast-growing scam may be more widespread than it appears because banks likely are not reporting all the attacks against consumers.
Phishing attacks rose to 1,422 in June, up from 1,197 in May, according to the Anti-Phishing Working Group, a nonprofit group tracking the online threat.
The increase means consumers who bank online remain vulnerable to phishing, and banks are struggling to stop it, said Jeff Ready, vice president of Tumbleweed Communications Corp., a Redwood City, Calif., software company that started the Anti-Phishing Working Group.
“People haven’t yet come around to understand that there are these scams out there,” he said.
Phishing attacks have risen precipitously since December, when just 116 attacks were initiated.
The number of phishing scams probably is even higher than figures from the Anti-Phishing Working Group indicate, said Mark Mendelsohn, senior counsel at the Justice Department’s computer crimes and intellectual property section.
Some banks are hit by multiple phishing attacks each day.
“I know those aren’t all being reported to law enforcement,” Mr. Mendelsohn said.
Banks aren’t reporting all phishing attacks because they don’t want to undermine consumer confidence in online banking, he said. Failing to report all scams makes it harder for law enforcement to catch online thieves.
But an industry official said banks may not know about each phishing attack against consumers. Since banking customers are the targets of phishing schemes, financial institutions rely on consumers to discover when thieves initiate a new attack, said Doug Johnson, senior policy analyst for the American Bankers Association.
“The reporting infrastructure is still developing. I don’t think [underreporting] is purposeful,” Mr. Johnson said.
About 1.9 million people reported their checking accounts were breached in the past year, accounting for $2.4 billion in fraud, Gartner Inc., a technology research firm in Stamford, Conn., said in May. An estimated 57 million people received a phishing e-mail last year.
Citibank customers were targeted most often in June, with 492 separate e-mail scams directed toward its 1.6 million online banking customers. That was up from 370 e-mail attacks in May.
Users of online auctioneer EBay Inc. also were popular targets of phishing attacks in June, and there were 285 separate e-mail scams directed at EBay customers, down from 293 in attacks in May.
Each e-mail attack can include a barrage of more than 1 million messages. But online thieves are becoming more discreet. They are targeting fewer consumers at smaller banks in hopes of drawing less attention, said James Jones Jr., chief scientist at Science Applications International Corp., a San Diego-based research and engineering firm.
Banks must educate their customers about the Internet scam so they don’t fall victim, Treasury Department Assistant Secretary Wayne A. Abernathy said last week during a teleconference on phishing.
So far, banks don’t have a clear strategy to address the threat, Mr. Ready said.
Financial institutions will find a way to stop consumers from getting lured into phishing scams, Mr. Jones said, but they need to do it quickly.
“The problem will be solved,” he said. “It’s just, how much damage will be done before then?”