03:17 PM
Connect Directly

Report: Phishing A Low-Paying, Low-Skills Job

Economic analysis says phishing in the USA isn't as lucrative as once thought

Most experts agree that phishing has become more automated, sophisticated, and widespread. But that doesn't mean all phishers make big bucks, according to a recently published report.

Cormac Herley and Dinei Florencio, both from Microsoft Research, conducted an independent economic analysis (PDF) that they say refutes conventional wisdom that phishing is lucrative. Instead, the researchers -- who note their work is their own and doesn't speak for Microsoft -- used economic models to conclude that phishing is a low-paid, low-skills enterprise where the average phisher makes hundreds, not thousands, of dollars a year.

"The more automated, the lower the barrier to entry, [and] the lower the effective return. When it's automated, it becomes a low-skill endeavor, and low-skill jobs pay like low-skill jobs," Herley says.

And like any organized crime organization, the foot soldiers don't make the big money. "It's likely that the money from phishing is unevenly divided, with some doing way better than others. But we don't have any data on that," Herley says.

Yuval Ben-Itzhak, CTO of Finjan, says the big bosses make the big bucks, and phishing isn't as lucrative in the U.S. as in other regions. "I think phishing did not reach all valid territories/countries in the world yet," he says. "I believe there are additional market segments that include 'deep pockets' waiting to be phished. It is not in the U.S."

In their report Herley and Florencio argue that public estimates of phishing losses are overstated and come from "unverified" numbers; they calculate that actual phishing revenue is around $61 million in the U.S. -- nowhere near Gartner's estimates of $3.2 billion in 2007. Herley and Florencio estimate that about .37 percent of users are phished each year, and that only about half of them actually have their accounts compromised. They say the bad guys don't always get to convert that data before their servers are discovered, users change their passwords after realizing their mistakes, or banks spot fraudulent activity.

"Far from being an easy money proposition, we claim that phishing is a low skill, low reward business, [and] here the average phisher makes about as much as if he did something legal with his time. The absence of data documenting large phishing gains suggests that this view has merit," the report says, and that data from victim surveys is basically biased.

But Avivah Litan, vice president and distinguished analyst of information security and risk at Gartner, says the researchers' paper is more of an academic exercise than reality. "They are assuming their economic theories apply here -- there is no hard evidence that they do," Litan says.

While there's no way to know for sure how all criminals steal sensitive data, Litan says, phishing, indeed, is one big method. "Phishing remains one very effective means and...end users are still falling for phishing attacks that are often combined with malware-based attacks," she says. "We also know that fraud losses are increasing, which is why there is so much demand for security and fraud detection products. Debating whether or not individual phishers can make as much money as they used to is frankly a somewhat-useless academic argument and does nothing to improve the fraud situation."

Researchers Billy K. Rios and Nitesh Dhanjani, who infiltrated the phishing underground to learn more about the way it operates, say the technical barrier to entry in phishing is "extremely low" and that phishers struggle to make money off of their efforts. "We saw many phishers resorting to marketing tactics, such as offering free identities and banking information, as incentive to do 'business' with a particular individual and as a way to differentiate themselves from the masses," Rios says.

And the recent surge in phisher-on-phisher crime, where phishers even phish or turn on one another, is another indication of their desperation, he notes. Rios and Dhanjani say the report sheds some much-needed light on the actual costs of phishing.

"With that said, we should be careful about focusing completely on the quantifiable aspects of phishing," Rios says. "There are still a lot of factors other than pure dollars that must be considered. Even if a business loses $0 in real money, there can still be a loss of customer confidence as many customers seem to blame the affected organization for phishing attacks (even though organizations are pretty much helpless to defend against phishing attacks that abuse their brand)."

The report, meanwhile, concludes that the high volume of phishing activity demonstrates its lack of success. "Phishers send more and more email hoping for their share of the bounty that eludes them," the report says.

That doesn't mean the authors of the report consider phishing a nonissue. "We would like to emphasize and re-emphasize that, even if the dollar losses are smaller than often believed, we believe that phishing is a major problem," the report says. "There are many types of crime where the dollars gained by the criminal are small relative to the damage they inflict. This appears to be the case with phishing. If the dollar losses were zero, the erosion of trust among Web users and destruction of email as a means of communicating would still be a major problem."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.