Phishing is not as lucrative as generally thought.
According to Cormac Herley and Dinei Florencio, who both work in research for Microsoft, phishing is a low-paid, low-skills enterprise and the average phisher makes hundreds, not thousands, of dollars a year.
The researchers argue that public estimates of phishing losses are overstated and come from ‘unverified' numbers; they calculate that actual phishing revenue is around $61 million in the U.S. - nowhere near Gartner's estimates of $3.2 billion in 2007.
Herley and Florencio estimate that about 0.37 per cent of users are phished each year, and that only about half of them actually have their accounts compromised. They say the cybercriminals don't always get to convert that data before their servers are discovered, users change their passwords after realising their mistakes, or banks spot fraudulent activity.
Herley said: “The more automated, the lower the barrier to entry, and the lower the effective return. When it's automated, it becomes a low-skill endeavour, and low-skill jobs pay like low-skill jobs. And like any organised crime organisation, the foot soldiers don't make the big money. It's likely that the money from phishing is unevenly divided, with some doing way better than others.”
The report, meanwhile, concludes that the high volume of phishing activity demonstrates its lack of success, and that users should not consider phishing to be a non-issue.
The report said: “We would like to emphasise and re-emphasise that, even if the dollar losses are smaller than often believed, we believe that phishing is a major problem. There are many types of crime where the dollars gained by the criminal are small relative to the damage they inflict. This appears to be the case with phishing. If the dollar losses were zero, the erosion of trust among web users and destruction of email as a means of communicating would still be a major problem.”
Avivah Litan, vice president and analyst at Gartner, told Dark Reading: “They are assuming their economic theories apply here - there is no hard evidence that they do. Phishing remains one very effective means and end users are still falling for phishing attacks that are often combined with malware-based attacks.
“We also know that fraud losses are increasing, which is why there is so much demand for security and fraud detection products. Debating whether or not individual phishers can make as much money as they used to is frankly a somewhat-useless academic argument and does nothing to improve the fraud situation.”