The email security company, which is based in Redwood City, Calif., reports finding 19,282,136 phishing attacks in July. That's a 16 percent increase compared to June.
''Clearly, we're going to see more of this,'' says Andrew Lockhart, senior director of marketing for Postini. ''Phishing is still in its infancy... If you've got the nerve for it and the talent for it, phishing pays better than other types of spam. If you're blasting out spam about toner cartridges or herbal Viagra, maybe every sucker will part with 20 or 25 bucks. If you're phishing, you're looking at a potential payday of hundreds of thousands of dollars.''
Lockhart points out that despite any increases, phishing attacks still only make up about 1 percent of all spam. ''Plain old spam is just much easier to do,'' he adds.
Phishing is a scam in which the attacker, in an effort to pilfer personal and financial information, sends out emails appearing to come from legitimate e-commerce sites, such as banks. By duping the recipient into handing over critical information, the attacker then steals the person's identity, taking money out of the bank or racking up credit card debt.
Steve Sundermeier, a vice president at Central Command, an anti-virus and anti-spam company based in Medina, Ohio, says phishing is easy enough and profitable enough that he expects it to keep growing at a high rate. Actually, he says he expects it to increase 100 percent over the next year.
''They've got these Web sites crafted,'' says Sundermeier, who notes that many of these fake sites, which also are called landing sites, are only up for a matter of minutes. ''To create a phishing scam, unfortunately, is fairly easy. You're not dependent on a key logger or some sort of spyware.''
The Corporate Side of the Issue
Ken Dunham, a senior engineer at Verisign-iDefense Intelligence based in Reston, Va., notes that as phishing continues to worsen, IT managers are increasingly put into a position to protect their end users from it.
Both Dunham and Lockhart say IT organizations have an obligation to train end users how to protect themselves. While phishing attacks generally don't affect a company directly, the company's 'family' of workers are at risk. And teaching employees to beware of phishing scams is a natural part of teaching them how to beware of spam, viruses, Trojans and malicious Web sites. It just all fits together.
''We all know that if you do your user training, the main thing is about attitudinal change,'' says Dunham. ''It does change the approach that people take to their life online. You tell them not to click on hyperlinks. If they want to go to CNN.com, just type it into their browser. Wouldn't it be great if people get basic security training.''