Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:17 PM
Connect Directly

Report: Phishing A Low-Paying, Low-Skills Job

Economic analysis says phishing in the USA isn't as lucrative as once thought

Most experts agree that phishing has become more automated, sophisticated, and widespread. But that doesn't mean all phishers make big bucks, according to a recently published report.

Cormac Herley and Dinei Florencio, both from Microsoft Research, conducted an independent economic analysis (PDF) that they say refutes conventional wisdom that phishing is lucrative. Instead, the researchers -- who note their work is their own and doesn't speak for Microsoft -- used economic models to conclude that phishing is a low-paid, low-skills enterprise where the average phisher makes hundreds, not thousands, of dollars a year.

"The more automated, the lower the barrier to entry, [and] the lower the effective return. When it's automated, it becomes a low-skill endeavor, and low-skill jobs pay like low-skill jobs," Herley says.

And like any organized crime organization, the foot soldiers don't make the big money. "It's likely that the money from phishing is unevenly divided, with some doing way better than others. But we don't have any data on that," Herley says.

Yuval Ben-Itzhak, CTO of Finjan, says the big bosses make the big bucks, and phishing isn't as lucrative in the U.S. as in other regions. "I think phishing did not reach all valid territories/countries in the world yet," he says. "I believe there are additional market segments that include 'deep pockets' waiting to be phished. It is not in the U.S."

In their report Herley and Florencio argue that public estimates of phishing losses are overstated and come from "unverified" numbers; they calculate that actual phishing revenue is around $61 million in the U.S. -- nowhere near Gartner's estimates of $3.2 billion in 2007. Herley and Florencio estimate that about .37 percent of users are phished each year, and that only about half of them actually have their accounts compromised. They say the bad guys don't always get to convert that data before their servers are discovered, users change their passwords after realizing their mistakes, or banks spot fraudulent activity.

"Far from being an easy money proposition, we claim that phishing is a low skill, low reward business, [and] here the average phisher makes about as much as if he did something legal with his time. The absence of data documenting large phishing gains suggests that this view has merit," the report says, and that data from victim surveys is basically biased.

But Avivah Litan, vice president and distinguished analyst of information security and risk at Gartner, says the researchers' paper is more of an academic exercise than reality. "They are assuming their economic theories apply here -- there is no hard evidence that they do," Litan says.

While there's no way to know for sure how all criminals steal sensitive data, Litan says, phishing, indeed, is one big method. "Phishing remains one very effective means and...end users are still falling for phishing attacks that are often combined with malware-based attacks," she says. "We also know that fraud losses are increasing, which is why there is so much demand for security and fraud detection products. Debating whether or not individual phishers can make as much money as they used to is frankly a somewhat-useless academic argument and does nothing to improve the fraud situation."

Researchers Billy K. Rios and Nitesh Dhanjani, who infiltrated the phishing underground to learn more about the way it operates, say the technical barrier to entry in phishing is "extremely low" and that phishers struggle to make money off of their efforts. "We saw many phishers resorting to marketing tactics, such as offering free identities and banking information, as incentive to do 'business' with a particular individual and as a way to differentiate themselves from the masses," Rios says.

And the recent surge in phisher-on-phisher crime, where phishers even phish or turn on one another, is another indication of their desperation, he notes. Rios and Dhanjani say the report sheds some much-needed light on the actual costs of phishing.

"With that said, we should be careful about focusing completely on the quantifiable aspects of phishing," Rios says. "There are still a lot of factors other than pure dollars that must be considered. Even if a business loses $0 in real money, there can still be a loss of customer confidence as many customers seem to blame the affected organization for phishing attacks (even though organizations are pretty much helpless to defend against phishing attacks that abuse their brand)."

The report, meanwhile, concludes that the high volume of phishing activity demonstrates its lack of success. "Phishers send more and more email hoping for their share of the bounty that eludes them," the report says.

That doesn't mean the authors of the report consider phishing a nonissue. "We would like to emphasize and re-emphasize that, even if the dollar losses are smaller than often believed, we believe that phishing is a major problem," the report says. "There are many types of crime where the dollars gained by the criminal are small relative to the damage they inflict. This appears to be the case with phishing. If the dollar losses were zero, the erosion of trust among Web users and destruction of email as a means of communicating would still be a major problem."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting