Microsoft Research has published a new report that takes an interesting look inside the criminal business of Phishing. Written by Cormac Herley and Dinei Florêncio, the report explains the economics behind the criminal enterprise, and paints a picture that is in stark contrast to what many analysts have reported in the past.
“Conventional wisdom is that Phishing represents easy money,” is how the report starts. The headlines have grabbed the attention of the masses time and time again. The headlines report that criminals -- who are often falsely labelled as hackers by the media -- are making money hand-over-fist thinks to a form of scam called Phishing.
The report from Microsoft notes a few popular stories from the past, such as the “Interview with a Phisher,” which tells the story of a teen who started Phishing because he was bored, and found it to be very easy. The teen went on to report he made upwards of $4,000 USD per day and stole over 20 million identities. His story, like the others seen in the press, back the notion that Phishing scams are easy to pull off and can yield one hell of a tidy profit.
Yet, the report points out that this is simply not the case. Based on some of the math used, the pool of money available as a direct result of Phishing schemes is mostly static. So you can assume that the more people taking part in Phishing scams, the less money there is to spread around.
To put it another way, as Phishing gets easier -- as evident from the readymade Phishing kits available for download or purchase online -- the more people likely to take part in Phishing crimes. The more people who Phish, the less money there is to be made.
The assumption of a static pool only makes sense if you don’t account for other things. The static pool theory doesn’t include teams of people who Phish together and split the profit only between themselves. It doesn’t account for criminals at the upper tiers of Phishing groups who leech from others and take more than their fair share. This could be done by inflation of services to Phishing crews such as hosting, tunnel access for VPN traffic, money laundering and exchanges, flat out extortion, etc.
The research paper does make a good argument that the more people who are aware of Phishing schemes, because such schemes are in the news all the time (community education, or simple word or mouth), the less Phishing victims there are available. This is a classic example of resource depletion.
In the end, crime doesn’t pay. Those pulling off the Phishing schemes are likely to see little to no financial gain compared to an honest worker putting in the same time and effort at a normal job. Those that do benefit are an above-average breed and not the normal Phishing criminal.
That is, unless you read research papers from established firms such as Gartner or Javelin, who report hundreds of millions of dollars lost every year because of Phishing schemes. This is in addition to the bulletins and reports from the FTC, which outline some of the same facts and figures.
In both cases, Microsoft Research said they are noisy at best, suggesting that they are sorely overinflated.
“We find that the data from widely cited victim surveys are noisier and more biased than is generally realized. It is interesting to wonder why the Gartner and FTC estimates are repeated without scrutiny when they appear noisy at best.”
Citing a paper by scholar Peter Reuter, titled, "The (Continued) Vitality of Mythical Numbers," the Microsoft Research report postulates that the often-quoted Phishing figures used by the media and taken at face value by the public is likely because of, “an interest in having the reported numbers be high, but no constituency with an interest in having those numbers be accurate.”
Adding that there is also, “an absence of scrutiny from academic researchers,” which allows this to happen.
“Finally, we would like to emphasize and re-emphasize that, even if the dollar losses are smaller than often believed, we believe that phishing is a major problem. There are many types of crime where the dollars gained by the criminal are small relative to the damage they inflict. This appears to be the case with phishing. If the dollar losses were zero the erosion of trust among web users, and destruction of email as a means of communicating would still be a major problem,” the report concludes.
Phishing is like any other criminal scheme. As the victims get smarter, the criminals will follow suit and create increasingly clever ways to defeat this new since of awareness their victims have created. The progression of Phishing into the threat it is today, started with Social Engineering, culminates in the same crime being merely wrapped in a new package.
Perhaps there will be more skepticism given to the facts and figures that are released in Phishing-related news.