A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.
The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved.
"The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner.
Despite the roll-out of a wide range of security measures against phishing, many of them are not yet widely adopted or effective enough to reverse this tide, she said.
None of the anti-phishing measures are fool-proof, so a layered security approach, involving all parties, will yield the best results, Litan added.
This strategy must include continuous fraud detection, stronger user authentication, and transaction verification for registered users, she said.