Report: Phishing A Low-Paying, Low-Skills Job

Most experts agree that phishing has become more automated, sophisticated, and widespread. But that doesn't mean all phishers make big bucks, according to a recently published report.

Cormac Herley and Dinei Florencio, both from Microsoft Research, conducted an independent economic analysis (PDF) that they say refutes conventional wisdom that phishing is lucrative. Instead, the researchers -- who note their work is their own and doesn't speak for Microsoft -- used economic models to conclude that phishing is a low-paid, low-skills enterprise where the average phisher makes hundreds, not thousands, of dollars a year.

"The more automated, the lower the barrier to entry, [and] the lower the effective return. When it's automated, it becomes a low-skill endeavor, and low-skill jobs pay like low-skill jobs," Herley says.

And like any organized crime organization, the foot soldiers don't make the big money. "It's likely that the money from phishing is unevenly divided, with some doing way better than others. But we don't have any data on that," Herley says.

Yuval Ben-Itzhak, CTO of Finjan, says the big bosses make the big bucks, and phishing isn't as lucrative in the U.S. as in other regions. "I think phishing did not reach all valid territories/countries in the world yet," he says. "I believe there are additional market segments that include 'deep pockets' waiting to be phished. It is not in the U.S."

In their report Herley and Florencio argue that public estimates of phishing losses are overstated and come from "unverified" numbers; they calculate that actual phishing revenue is around $61 million in the U.S. -- nowhere near Gartner's estimates of $3.2 billion in 2007. Herley and Florencio estimate that about .37 percent of users are phished each year, and that only about half of them actually have their accounts compromised. They say the bad guys don't always get to convert that data before their servers are discovered, users change their passwords after realizing their mistakes, or banks spot fraudulent activity.

"Far from being an easy money proposition, we claim that phishing is a low skill, low reward business, [and] here the average phisher makes about as much as if he did something legal with his time. The absence of data documenting large phishing gains suggests that this view has merit," the report says, and that data from victim surveys is basically biased.

But Avivah Litan, vice president and distinguished analyst of information security and risk at Gartner, says the researchers' paper is more of an academic exercise than reality. "They are assuming their economic theories apply here -- there is no hard evidence that they do," Litan says.

While there's no way to know for sure how all criminals steal sensitive data, Litan says, phishing, indeed, is one big method. "Phishing remains one very effective means and...end users are still falling for phishing attacks that are often combined with malware-based attacks," she says. "We also know that fraud losses are increasing, which is why there is so much demand for security and fraud detection products. Debating whether or not individual phishers can make as much money as they used to is frankly a somewhat-useless academic argument and does nothing to improve the fraud situation."

Researchers Billy K. Rios and Nitesh Dhanjani, who infiltrated the phishing underground to learn more about the way it operates, say the technical barrier to entry in phishing is "extremely low" and that phishers struggle to make money off of their efforts. "We saw many phishers resorting to marketing tactics, such as offering free identities and banking information, as incentive to do 'business' with a particular individual and as a way to differentiate themselves from the masses," Rios says.

And the recent surge in phisher-on-phisher crime, where phishers even phish or turn on one another, is another indication of their desperation, he notes. Rios and Dhanjani say the report sheds some much-needed light on the actual costs of phishing.

"With that said, we should be careful about focusing completely on the quantifiable aspects of phishing," Rios says. "There are still a lot of factors other than pure dollars that must be considered. Even if a business loses $0 in real money, there can still be a loss of customer confidence as many customers seem to blame the affected organization for phishing attacks (even though organizations are pretty much helpless to defend against phishing attacks that abuse their brand)."

The report, meanwhile, concludes that the high volume of phishing activity demonstrates its lack of success. "Phishers send more and more email hoping for their share of the bounty that eludes them," the report says.

That doesn't mean the authors of the report consider phishing a nonissue. "We would like to emphasize and re-emphasize that, even if the dollar losses are smaller than often believed, we believe that phishing is a major problem," the report says. "There are many types of crime where the dollars gained by the criminal are small relative to the damage they inflict. This appears to be the case with phishing. If the dollar losses were zero, the erosion of trust among Web users and destruction of email as a means of communicating would still be a major problem."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message