tricking people into revealing their logins and passwords by creating fake emails, Twitter messages, and/or websites, does not actually make phishers a lot of money. A new paper (PDF) by Cormac Herley and Dinei Florencio from Microsoft Research argues that the basic laws of economics still apply to phishing. As phishing becomes easier, and as 'phishing kits' are being sold for less than $100, the actual income for each individual phisher has to come down. Phishing has become a "low-skill, low-reward business."Phishing, the highly illegal scam of
While, as the authors point out, the media has portrayed phishing as an easy (and illegal) way to make money, the reality is that too many phishers have joined the fray and that the income per phisher has been greatly depressed because of this.
Phishers typically sell the logins and passwords they have harvested through their scams to other criminals online, who can then easily commit identity theft.
Losses from Phishing Have Been Exaggerated
The authors also argue that the economic losses from phishing have been greatly overstated. Herley and Florencio argue that the numbers don't 'survive basic sanity checks,' yet are widely quoted. At the same time, these mythical numbers lead more phishers into the business, which then depresses the per person income even more. According to PayPal's chief information security officer Michael Barrett, phishing "is not even in the top five threats" that could cause losses at PayPal.
Why Phishing Will Continue
The paper, however, also points out that this lack of revenue does not mean the end of phishing. Phishers, the authors argue, are not necessarily making rational economic decisions. Instead, their vision is clouded by by hopes of 'hitting the jackpot' (even when revenue is going down), and a constant barrage of reports of 'easy money' that will lead phishers to believe that revenue will go up again. Also, because phishing is generally considered to be very 'easy,' a constant stream of newcomers will replace the retired phishermen. The authors note that this cycle can only be broken through providing better information about the economic reality of the phishing business to potential phishers.
(hat tip to Steve Ragan at the Tech Herald)
CC-licensed image courtesy of Flickr user ToastyKen