Online banking fraud cost £12 million in the UK last year, according to the latest figures released by APACS, the country's payments association.
And phishing - where customers are duped into disclosing personal information - was the biggest culprit.
In the first month of 2005, the number of phishing attacks was up 42 per cent on December's figure, according to the US-based Anti-Phishing Working Group.
Based on these figures, it would seem that internet risks have never been greater for banks or their customers.
A phishing attack works like this.
First, thousands of baiting emails are sent at random. They usually purport to come from a well-known bank.
Some recipients will have accounts at the real bank and if hooked, they follow the email's instructions - including a link to the bank's website where they are asked to enter their security details.
The sting, of course, is that they are taken to a bogus website.
They enter their username and password, unwittingly handing them over details to criminals who simply visit their genuine bank accounts and empty the cash.
The scam has become well known over the past year. Variations are less well known - where criminals can hijack an account even when the user is visiting his genuine bank account, for example.
And it's not just bank accounts. Numerous other brands have been the subject of phishing attacks that seek to harvest credit card details for illicit shopping sprees or for selling on to other criminals.
According to the Anti-Phishing Working Group, there were 12,845 new, unique phishing e-mail messages reported in January. Each of these e-mails was sent to tens or hundreds of thousands of addresses. Andrew Hartshorn, a partner with the Birmingham office of international law firm Pinsent Masons says such law enforcement victories are exceptional.
"Phishing attacks are easy to launch. There are even kits available on the internet for would-be attackers that help with setting up the bogus sites and sending out the spam. And while the attackers can be caught, it's still a very rare thing."
Mr Hartshorn added: "Banks and others have a legal duty to have in place appropriate technical and organisational measures to protect their customer accounts; but there are limits to what they can do when customers are duped into giving away their details."
Mr Hartshorn thinks the banks are nervous.
"They've invested fortunes in internet banking. The last thing they want is for their customers to lose confidence in their online services. And while the banks have to date reimbursed those who lose money as a result of phishing, they don't have to," he said.
He explained that a bank's terms and conditions will likely say something about it being the customers' responsibility to ensure they keep their security details confidential. "The problem for the bank is that, if it's seen to refuse to reimburse a customer's loss, other customers will get scared of internet banking. That could be even more costly." According to Pinsent Masons, the banks have been trying to educate their customers - warning them about phishing and reminding them that a real bank would never send an email asking them to confirm their security details.
But most banks do send marketing emails, and the emails do include links to the website - so confusion among customers is understandable.
"User education is important," said Mr Hartshorn. "But it's not a cure. First, it arguably places the burden on the wrong shoulders, because the more responsibility the customers bear, the more reason they have to be nervous. Second, the criminals always seem to be a few steps ahead."
Some services try to help banks to catch up with the criminals.
Among them is an offering from anti-fraud specialist Cyota. It checks for the existence of phishing attacks and bogus websites and works to remove them quickly; but between spotting the attack and removing the site, it will attempt to contaminate the data the bogus site is gathering, using software to complete the authentication details of the bogus sites.
Cyota does this in the knowledge that the criminals who gather the details - be they bank accounts or credit card numbers - are sometimes selling the details to other criminals.
The theory runs that trading bogus financial data with criminals is akin to selling them cocaine laced with rat poison: it's likely to be a short-lived career.
So Cyota's theory is that, while it can't stop phishing, it can at least persuade the criminal element to choose a target other than Cyota's own clients.
* Pinsent Masons is running a free seminar on phishing and other issues of authentication and identification in Birmingham on April 12. See www.out-law.info for details.
