03:17 PM
Connect Directly

Report: Phishing A Low-Paying, Low-Skills Job

Economic analysis says phishing in the USA isn't as lucrative as once thought

Most experts agree that phishing has become more automated, sophisticated, and widespread. But that doesn't mean all phishers make big bucks, according to a recently published report.

Cormac Herley and Dinei Florencio, both from Microsoft Research, conducted an independent economic analysis (PDF) that they say refutes conventional wisdom that phishing is lucrative. Instead, the researchers -- who note their work is their own and doesn't speak for Microsoft -- used economic models to conclude that phishing is a low-paid, low-skills enterprise where the average phisher makes hundreds, not thousands, of dollars a year.

"The more automated, the lower the barrier to entry, [and] the lower the effective return. When it's automated, it becomes a low-skill endeavor, and low-skill jobs pay like low-skill jobs," Herley says.

And like any organized crime organization, the foot soldiers don't make the big money. "It's likely that the money from phishing is unevenly divided, with some doing way better than others. But we don't have any data on that," Herley says.

Yuval Ben-Itzhak, CTO of Finjan, says the big bosses make the big bucks, and phishing isn't as lucrative in the U.S. as in other regions. "I think phishing did not reach all valid territories/countries in the world yet," he says. "I believe there are additional market segments that include 'deep pockets' waiting to be phished. It is not in the U.S."

In their report Herley and Florencio argue that public estimates of phishing losses are overstated and come from "unverified" numbers; they calculate that actual phishing revenue is around $61 million in the U.S. -- nowhere near Gartner's estimates of $3.2 billion in 2007. Herley and Florencio estimate that about .37 percent of users are phished each year, and that only about half of them actually have their accounts compromised. They say the bad guys don't always get to convert that data before their servers are discovered, users change their passwords after realizing their mistakes, or banks spot fraudulent activity.

"Far from being an easy money proposition, we claim that phishing is a low skill, low reward business, [and] here the average phisher makes about as much as if he did something legal with his time. The absence of data documenting large phishing gains suggests that this view has merit," the report says, and that data from victim surveys is basically biased.

But Avivah Litan, vice president and distinguished analyst of information security and risk at Gartner, says the researchers' paper is more of an academic exercise than reality. "They are assuming their economic theories apply here -- there is no hard evidence that they do," Litan says.

While there's no way to know for sure how all criminals steal sensitive data, Litan says, phishing, indeed, is one big method. "Phishing remains one very effective means and...end users are still falling for phishing attacks that are often combined with malware-based attacks," she says. "We also know that fraud losses are increasing, which is why there is so much demand for security and fraud detection products. Debating whether or not individual phishers can make as much money as they used to is frankly a somewhat-useless academic argument and does nothing to improve the fraud situation."

Researchers Billy K. Rios and Nitesh Dhanjani, who infiltrated the phishing underground to learn more about the way it operates, say the technical barrier to entry in phishing is "extremely low" and that phishers struggle to make money off of their efforts. "We saw many phishers resorting to marketing tactics, such as offering free identities and banking information, as incentive to do 'business' with a particular individual and as a way to differentiate themselves from the masses," Rios says.

And the recent surge in phisher-on-phisher crime, where phishers even phish or turn on one another, is another indication of their desperation, he notes. Rios and Dhanjani say the report sheds some much-needed light on the actual costs of phishing.

"With that said, we should be careful about focusing completely on the quantifiable aspects of phishing," Rios says. "There are still a lot of factors other than pure dollars that must be considered. Even if a business loses $0 in real money, there can still be a loss of customer confidence as many customers seem to blame the affected organization for phishing attacks (even though organizations are pretty much helpless to defend against phishing attacks that abuse their brand)."

The report, meanwhile, concludes that the high volume of phishing activity demonstrates its lack of success. "Phishers send more and more email hoping for their share of the bounty that eludes them," the report says.

That doesn't mean the authors of the report consider phishing a nonissue. "We would like to emphasize and re-emphasize that, even if the dollar losses are smaller than often believed, we believe that phishing is a major problem," the report says. "There are many types of crime where the dollars gained by the criminal are small relative to the damage they inflict. This appears to be the case with phishing. If the dollar losses were zero, the erosion of trust among Web users and destruction of email as a means of communicating would still be a major problem."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.