The warning follows the publication this week of around 20,000 webmail credentials on a public website. The details are thought to have been gathered through a phishing email asking people to re-confirm their webmail details. Around 10,000 Hotmail users were affected, plus a variety of users of other webmail services.
The list of details showed up on a software developers' website called Pastebin.com, which normally just acts as a place for developers to exchange ideas.
"This should be a concern especially for those companies that, in the current economic climate, have moved more of their business online," said Wiliam Beer, a director of the OneSecurity practice at PricewaterhouseCoopers LLP.
He said that companies need to learn to react faster to fight Internet fraud. "The criminals are very nimble and quick in developing new ways of operating, while companies tend to be very process-oriented. They are slow to react," he said. "They end up firefighting rather than taking a more strategic approach to the problem."
But with tight budgets, he warned that enterprises will struggle to find the right resources as online fraud continues to grow. "While technical skills are required [to tackle the problem], specialists need to be able to engage with business leaders and build business cases," he said.
This latest theft of webmail credentials illustrates how the criminals can make use of low-value information as a springboard to gain more valuable personal and financial details. According to security firm Websense Inc., the last few days saw a surge in the number of spam emails sent from Yahoo!, Gmail and Hotmail accounts.
The messages were sent from user accounts to contacts in their address books, therefore appearing to be genuine. The emails recommended a product that could be bought from a website that was actually a fake. Those who were tempted to buy handed over their credit card or bank details, thereby providing the Internet fraudsters with the information they wanted.
"This is just another example of online fraudsters becoming increasingly adept at gaining personal and confidential information from unsuspecting victims," said Carl Leonard, European threat manager for Websense, in a statement. "Websense Security Labs have found that 37% of malicious Web attacks over the last six months included data-stealing code, demonstrating that attackers are clearly after essential information and personal data." In the same period, 85.6 percent of all unwanted emails contained links to spam sites and/or malicious websites, according to Websense.
And this week, the banking body Financial Fraud Action UK announced that the cost of online banking fraud had risen by 55% to a record £39 million during the first half of 2009.
But what can companies do if phishers impersonate them? Although phishing scams cannot be directly prevented by companies, PWC's Beer said organisations could do more to communicate good practice to customers. "This is not a technical problem, but companies need to give more focus to communication to inform their customers," he said.
According to Chris Barling, managing director of Actinic Ltd, a supplier of e-commerce website software mainly to small businesses, there is cause for optimism in some of the latest figures.
He pointed out that the statistics from Financial Fraud Action UK show an 18% decrease in card-not-present fraud for the first half of this year. Barling said the decline was largely due to increased use of the 3D Secure scheme, a technical standard created by Visa and MasterCard, that adds a further security check and authentication for online purchases.
Barling agreed that user education was vital to help them avoid falling for phishing scams, but insisted that consumers are well protected. "Online buyers take very little risk. They have an unqualified right to a chargeback for any fraudulent transactions made in their name. It's the merchants that complain that the card companies always side with the buyer."