More than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008, a 39.8 percent increase over the number of victims a year earlier, according to Gartner.

In September of 2008, Gartner surveyed 3,985 U.S. online adults to determine the number of U.S. adults who have been victimized by phishing attacks, as well as the methods being used by criminals to execute these crimes.

The survey uncovered a trend toward higher-volume and lower-value attacks. Although the number of consumers who lost money to phishing attacks increased in 2008, average losses decreased. The average consumer loss in 2008 per phishing incident was $351, a 60 percent decrease from the year before.

Phishing attacks continue to exact financial damage on consumers and financial institutions. Consumers recovered 56 percent of their losses, meaning that most fraud costs were borne by consumer banks, PayPal and other financial service providers.

Gartner recommends that enterprises continue to deploy and improve security solutions that protect accounts and customers against attacks. Enterprises that are custodians of customer accounts should also consider site authentication or assurance to confirm to a customer that he or she is on a legitimate Web site and not a spoof site. In addition, antiphishing services can proactively look for phishing attacks against named enterprises before they are launched and take them down on detection.

Enterprises providing e-mail services should investigate "secure" e-mail gateways that can block phishing e-mails from reaching customer in-boxes using a variety of methods from e-mail analysis to accepting only properly signed digital e-mail. End users can also increase their own protection by using safe-browsing tools that can provide a warning when accessing a known or suspected phishing site.

The entire study is available here.