Microsoft study questions phishing revenues

An article in The Register points to a very thorough piece of research by two Microsoft researchers, which holds that the common belief that phishers are raking in the dough is false. Spamming and phishing are often portrayed as highly profitable, and we think of the bad guys behind these ruses as living it up, driving fancy cars, having big sailboats and drawing money from secret multimillion dollar bank accounts in the Cayman Islands.

But is that perception true? A more accurate depiction of people in the phishing industry is that they are small-time losers and wannabes still living in their parents’ basement, constantly looking for the next get-rich-quick scheme that never really works.

The authors of the study take a detailed economic look at the phishing business, suggesting that “over-grazing” is inevitable, which creates diminishing returns for each participant as more people take up the scam, attracted by the illusion of a quick, easy buck. Another economic factor involved is that as more people get into the phishing business, there will be fewer victims, because awareness will increase. Consequently, phishing is decidedly a low-reward type of business. So are these guys making any money? Yes, but not that much. They would probably be better off spending eight hours a day making cappuccinos at Starbucks. The study suggests that the average phisher earns only hundreds of dollars, as opposed to the great riches that they imagined. To be sure, there are likely to be a small handful of phishing scammers who are making big money, but that is the exception.

The report makes a logical argument, but in the end, the statement of facts is not likely to diminish the incidence of spamming and phishing. The people that engage in these scams are first of all, not likely to be the sort of people that read academic papers like this one, and second, the lure of easy money is a powerful draw, no matter how unrealistic it may be.