The damage caused by PHISHING ranges from loss of access to email to substantial financial loss. This style of identity theft is becoming more popular, because of the ease with which unsuspecting people often divulge personal information to PHISHERS, including credit card numbers , social security numbers, and mothers' maiden names. There are also fears that identity thieves can add such information to the knowledge they gain simply by accessing public records. Once this information is acquired, the PHISHERS may use a person's details to create fake accounts in a victim's name, ruin a victim's credit , or even prevent victims from accessing their own accounts.
It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by PHISHING, totaling approximately $929 million USD. U.S. businesses lose an estimated $2 billion USD a year as their clients become victims. In the United Kingdom losses from web banking fraud — mostly from — almost doubled to £23.2m in 2005, from £12.2m in 2004, while 1 in 20 users claimed to have lost out to PHISHING in 2005.
The UK banking body APACS ' stance is that "customers must also take sensible precautions...so that they are not vulnerable to the criminal ."Similarly, when the first spate of PHISHING attacks hit the Irish Republic's banking sector in September 2006, the Bank of Ireland initially refused to (and still insists that its policy is not to cover losses suffered by its customers, although losses to the tune of €11300 were made good.
Anti-phishing measures have been implemented as features embedded in browsers, as extensions or toolbars for browsers, and as part of website login procedures. The following are some of the main approaches to the problem. Helping users identify legitimate sites Since PHISHING is based on impersonation, preventing it depends on users having some reliable way to identify the sites they are dealing with. Alerting users to fraudulent websites Another popular approach to fighting PHISHING is to maintain a list of known phishing sites and to check websites against the list. Microsoft's new IE7 browser , Mozilla Firefox 2.0, and Opera all contain this type of anti-PHISING measure. Firefox 2 uses Google anti-phishing software. Opera 9.1 uses live blacklists from PhishTank and GeoTrust , as well as live whitelists from GeoTrust . Some implementations of this approach send the visited URLs to a central service to be checked, which has raised concerns about compromising the user's privacy. According to a report by Mozilla in late 2006, Firefox 2 was found to be more effective than Internet Explorer 7 at detecting fraudulent sites in a study by an independent software testing company. Eliminating phishing mail Spam filters can also help by reducing the number of phishing emails that users receive.
Users can take steps to avoid PHISHING attempts by slightly modifying their browsing habits. Users who are contacted about an account needing to be "verified" (or any other topic used by PHISHERS) can contact the company that is the subject of the email to check that the email is legitimate, or can type in a trusted web address for the company's website into the address bar of their browser to bypass the link in the suspected PHISHING message. Nearly all legitimate email messages from companies to their customers will contain an item of information that is not readily available to PHISHERS. Some companies, like PAYPAL, always address their customers by their username in emails, so if an email addresses a user in a generic fashion (" Dear PAYPAL customer ") it is likely to be an attempt at PHISHING. Emails from banks and credit card companies will often include partial account numbers. However, recent research has shown that typical users do not distinguish between the first few digits and This is a significant problem since the first few digits often are the same for all clients of one financial institution. One should always be suspicious if the message does not contain specific personal information. PHISHING attempts in early 2006, however, used such highly personalized information, making it unsafe to rely on personal information alone as a sign that a message is legitimate. Furthermore, another recent study concluded in part that the presence of this information does not significantly affect the success rate of PHISHING attacks, suggesting that most users do not pay attention to such details anyway. the last few digits of an account number