Research Paper: Phishing Just Doesn’t Pay!

A very interesting paper came out a few days ago by MSFT researchers Cormac Herley and Dinei Florencio exploring the economics of phishing. In a nutshell they systematically analyze phishing, both in terms of losses and in terms of gains, and find that the dollars in the phenomenon are widely overstated. In a nutshell: too many phishers chasing too few victims for too small a gain, a classic “tragedy of the commons” problem. Value added services are where it’s at. This jives well with anecdotal experience for many of us.

Some of my favorite parts:

But consistent reports of easy money may encourage him to think that he’s doing something wrong and that his returns will improve with time.

Indeed one explanation of the thriving trade in phishing related services reported in [23, 17] is that phishers with more experience prey upon those with less. That is, those who have tried phishing and found it unprofitable or marginally profitable find it better to sell services to those who havent reached that conclusion yet.

We think that this economic analysis has important implications in addressing the problem on a macro level. If we are correct that large phishing dollar losses are an exaggeration, an important conclusion is that repeating those claims feeds the beast, perpetuates the myth of the infinitely capable superuser attacker [21], and attracts poorly-informed new entrants to phishing.

I find the research and analysis compelling. A lot of it fits with the model outlined by levitt and dubner in “freakonomics” in chapter 3, Why Do Drug Dealers Still Live with Their Moms? Granted the organization in phishing is far more unstructured but the premise still stands: that the lure is far greater than the reality.

The paper is online here on slideshare or available in PDF A Profitless Endeavor: Phishing as Tragedy of the Commons.

Comments are closed.