Online phishing schemes more than doubled last month, leaving financial institutions struggling to rebuff attempts to steal private account information from customers, according to the Anti-Phishing Working Group.

Last month, 1,142 sites were used for phishing, up 110% from the 543 sites reported in September, according to the report issued this week by the consortium of law enforcement, financial institutions and IT security firms that tracks the online attacks.

Almost 6,600 different phishing messages were reported to the group in October. Peter Cassidy, secretary general for the group, said the number of unique phishing e-mails had grown an average 36% each month since July. “Organised crime has embraced this technology and automation has increased the availability of phishing technology,” he said. “They’ve become much more sophisticated.”

Phishing occurs when con merchants send fraudulent e-mails to customers to lure them to websites that appear to be the home page of a well-known financial institution. The e-mails instruct the customer to leave account information on the site, which the scammers then use for identity theft.

The financial services industry has taken the biggest hit. Last year phishing scams cost banks and credit-card companies $10.2bn (£5.4bn), according to a recent Gartner report.

Banks are trying to fight phishing by educating customers about spoof e-mails. Several banks include information about phishing on their websites and in monthly statements.

Cassidy said that the Anti-Phishing Working Group had expected the phishers to start targeting smaller banks, but that this had not yet happened. “The phishers have not really broadened their attacks beyond established brands such as Citicorp and Bank of America.”

The group is also warning companies and users of a new form of phishing that runs a script just when an e-mail is opened. Cassidy said the new technique had only been detected in Brazil, but was probably being tested for wider deployment.

More here.