There is No Money in Phishing (But It Still Won't Go Away)
Phishing, the highly illegal scam of tricking people into revealing their logins and passwords by creating fake emails, Twitter messages, and/or websites, does not actually make phishers a lot of money. A new paper (PDF) by Cormac Herley and Dinei Florencio from Microsoft Research argues that the basic laws of economics still apply to phishing. As phishing becomes easier, and as 'phishing kits' are being sold for less than $100, the actual income for each individual phisher has to come down. Phishing has become a "low-skill, low-reward business."
While, as the authors point out, the media has portrayed phishing as an easy (and illegal) way to make money, the reality is that too many phishers have joined the fray and that the income per phisher has been greatly depressed because of this.
Phishers typically sell the logins and passwords they have harvested through their scams to other criminals online, who can then easily commit identity theft.
Losses from Phishing Have Been Exaggerated
The authors also argue that the economic losses from phishing have been greatly overstated. Herley and Florencio argue that the numbers don't 'survive basic sanity checks,' yet are widely quoted. At the same time, these mythical numbers lead more phishers into the business, which then depresses the per person income even more. According to PayPal's chief information security officer Michael Barrett, phishing "is not even in the top five threats" that could cause losses at PayPal.
Why Phishing Will Continue
The paper, however, also points out that this lack of revenue does not mean the end of phishing. Phishers, the authors argue, are not necessarily making rational economic decisions. Instead, their vision is clouded by by hopes of 'hitting the jackpot' (even when revenue is going down), and a constant barrage of reports of 'easy money' that will lead phishers to believe that revenue will go up again. Also, because phishing is generally considered to be very 'easy,' a constant stream of newcomers will replace the retired phishermen. The authors note that this cycle can only be broken through providing better information about the economic reality of the phishing business to potential phishers.
(hat tip to Steve Ragan at the Tech Herald)
CC-licensed image courtesy of Flickr user ToastyKen
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Insightful article that contributes to a solution. Great stuff.
Posted by: Lucas Gonze | January 7, 2009 10:57 AM
Deception is never as profitable as providing a welcomed product.
Glad to know there's little money in it.
Posted by: Keane Li | January 7, 2009 11:35 AM
Of course it won't go away. Why do people make useless virus's for no other reason than because they can and it annoys everyone. People will continue to phish and look for ways to bank off of it even if the numbers are exaggerated.
Posted by: Craig | January 7, 2009 12:58 PM
Phishing for only login credentials isn't very profitable for the criminals, but phishing for customer personal information is (and will continue to be) very profitable.
Now most of the phish kits targeting financial institutions don't just ask for a login/password. They ask for the bank/card details along with personal information. This makes it easy for the criminals to take over a customer's account in order to extract money.
(Logins by themselves are fairly useless actually as almost all companies in the financial sector use some sort of multi-factor authentication for logins.)
You would probably be amazed at the % of people who fall for these phishing scams btw
Posted by: Zac | January 8, 2009 12:47 PM