Phishing Is a Minimum-Wage Job

rohitm918 writes "A study by Microsoft Research concludes that phishers make very little (PDF): '...low-skill jobs pay like low-skill jobs, whether the activity is legal or not.' They also find that the Gartner numbers that everyone quotes ($3.2B/year etc) are rubbish, off by a factor of 50. 'Even though it harvests "free money," phishing generates total revenue equal to the total costs incurred by the actors. Each participant earns, on average, only as much as he would have made in the opportunities he gave up elsewhere. As the total phishing effort increases the total phishing revenue declines: the harder individual phishers try the worse their collective situation gets. As a consequence, increasing effort is a sign of failure rather than of success.'"

Re:That's actually waht they argue

[gujo-odori]

I'm own the anti-phishing rules at a well-known email security company, and while I agree with the principle that over-phishing is causing problems, as it does with fishing (although as with phishing, the best phishers are catching a lot more phish than the worst pishers), I don't think very many people are doing much more to protect their information. What does seem to happen, though, is that - just as with fish that see lures dragged in front of them all day long - people are coming to think everything is a fraud (I see legit bank emails reported as phishing all the time). Some of them, anyway. I also see a lot of correspondence threads in which people have already handed over money to 419ers or are preparing to do so.

And of course, phishers are also diversifying somewhat. Earlier this year, account credential phishing became popular. The goal: not immediate financial reward via account plunder, but to get access to a legit login on a host with a good email reputation for the purpose of either using it to send fraudulent email, or using it to send regular spam for hire.

Financial losses continue to be high, and I'm not convinced that the 3.2 billion figure is off by a factor of 50, even if it might be on the high side. But earnings by the theoretical average phisher? Yeah, they've got to be off. There are so many phishers these days, so many people are deluged by phishing attempts, and at least for those who have a good spam filter, a figure north of 99% of those phishing attempts don't make it to the inbox anyway.

The ones that get me are the people who release blatant phishing from quarantine. I'd love to know how many of them later respond and get phished. I suspect that number is rather high.

And then there are the money mule scams. People fall for those all the time. The phish aren't getting that much smarter, as far as I can tell.

Re:Minimum wage in the US

[teh moges]

If you read the article (which no-one ever does, but just in case you get modded insightful by a mod who didn't either), you'll see that minimum wage is a relative term.
The pool of phishing money is (more or less) static, so when more people start phishing (which happens as it becomes easier), the available money per phisher goes down until its not worth it. If this is less then the minimum wage, then people wouldn't do it, if its more, then more people do it. Hence it stabilizes around that mark. This is also one of the reasons why there are more phishers in poorer nations.

Re:That's actually waht they argue

[bluefoxlucid]

Fail. Your log-in is timestamped. It must both be the current token value AND not be during the same token window as the previous log-in. In other words, each token becomes invalid when the next is ready; and each can only be used once.

Re:Economically rational, isn't.

[grege222]

I recently heard Stephen Levitt (Freakonomics) speak, and he actually addressed your first example. It's actually the title example in his next book "Why Drug Dealers Live With Their Mothers." The gist of it being that while dealing drugs may make less money and certainly has more risk than McDonalds, their is greater opportunity for upward mobility. Just because you don't understand what's going on doesn't mean that it's irrational.

This has been pontificated about before...

[PCM2]

I mean for one thing, a lot of crime really doesn't pay well. Sometimes even less than a minimum wage job.

Steven D. Levitt addresses this in his book, Freakonomics. Chapter 3 is titled Why Do Drug Dealers Still Live with Their Moms? [freakonomicsbook.com]

Re:Need a new plan

[kzieli]

Please read Chapter 3 of Freakonomics or at least the synopsis on Wikipedia. Short answer dealers get to handle a lot of money in much the same way as bank tellers do. They don't get to keep all that much,

Re:Economically rational, isn't.

[alexborges]

Okay, my friend BagOCrap, here it is slowly explained:

a) Most strippers make more money than most waitresses

b) Not all woman CAN become strippers, but some (id say most) surely can.

c) For those that can, when the option is presented to them, they tend to choose being a waitress.

Why?

Because, even if working at a strip club is not illegal (necessarily), most women that could become strippers, decide its not a good career to have when compared to waiting tables... even if the pay is WAY, WAY better than in waiting tables.

It so follows that this women do not, at all, take the best-profit decision and thus, are economically irrational.

This train of thought is not all that bad, but it does suffer from this flaw: it is shortsighted in that it does not take into account oportunity costs. Most women, perhaps, want to have kids and they might view stripping as a somehow incompatible endeavor with their PTA meetings or taking care of their kids (actual or in the future).

Even if you make good money by stripping, most gated suburbian communities aint gonna take your career choice lightly and will probably signal both you and your family as undesirables.

This is sad, but peer pressure takes its toll.

Comment removed

[account_deleted]

Comment removed based on user account deletion