Phishing Is a Minimum-Wage Job

rohitm918 writes "A study by Microsoft Research concludes that phishers make very little (PDF): '...low-skill jobs pay like low-skill jobs, whether the activity is legal or not.' They also find that the Gartner numbers that everyone quotes ($3.2B/year etc) are rubbish, off by a factor of 50. 'Even though it harvests "free money," phishing generates total revenue equal to the total costs incurred by the actors. Each participant earns, on average, only as much as he would have made in the opportunities he gave up elsewhere. As the total phishing effort increases the total phishing revenue declines: the harder individual phishers try the worse their collective situation gets. As a consequence, increasing effort is a sign of failure rather than of success.'"

Minimum wage in the US

[Dyinobal]

Minimum wage in the US perhaps but when the phishers live in a country with a higher exchange rate. They can be making considerably more than minimum wage in their own country. Infact I bet you could work and also do some phishing on the side (just like granddad use to do).

Not really all that big a surprise

[Sycraft-fu]

I mean for one thing, a lot of crime really doesn't pay well. Sometimes even less than a minimum wage job. I remember a few years ago there was a problem of newspaper machines getting broken in to and the change stolen. They finally caught the guy and estimated he'd been making well less than minimum wage. It wasn't a trivial job to get in them and it isn't as though a ton of papers are sold from those. While there certainly are criminals who make bank (like drug lords) often you'll find that really criminals would do just as well to get honest work.

Another thing is that you are talking about something where your success rate is very low, and even when you do have a success in terms of getting info, you don't necessarily get anything with it. Just because you steal someone's account and try to use it, doesn't mean it works. For example I had my credit card stolen. Wasn't a phishing scam, just someone that had got a hold of the number, but either way they had it. As soon as they tried to order something, I noticed. I had the card disabled, the merchant stopped shipment on the goods, and so on. The thief didn't get squat. So even though they were successful in getting my card, they weren't successful in getting anything with it.

So all in all ti doesn't surprise me that phishing is a low paying job. You aren't going to get many bites, some of the ones you DO get will be fake (I love filling out phishing forms with fake data), and even when you do get legit info, you might not get to use it.

That's actually waht they argue

[Sycraft-fu]

If you read their paper.

Also it is even worse, when you get down to it: People (contrary to evidence some times) have the capacity to learn. As phishing becomes a bigger problem, there's more news on it, more efforts to educate people about it and so on. So the pool of candidates shrinks. Likewise some companies start implementing technologies that make it hard/impossible to do (Paypal has a secure ID token you can get now for example).

So it isn't just a case of depleting the pool of dollars belonging to the people who can get phished, it is also a case of less people being available to be phished. While you'll certainly never educate everyone, I'd say awareness of phishing is much higher these days and many more people take care to protect their information.

Phishing is like Amway and other MLM's

[sydbarrett74]

The only ones who made any real money were the ones who bought in early; the vast majority of Amway reps break even at best.

Re:Economically rational, isn't.

[fred fleenblat]

Just assign a value to, or create a market for, the lost self-respect and you're back in business from an economics standpoint.

Re:Need a new plan

[Missing_dc]

Actually, A friend of mine was a marketing intern and turned to "slangin" as he called it. He made quite a bit of cash off the "nickle and dimers" by doing a little market analysis and identifying the non-public congregation points thereby raising his return on time and lowering his risk of being caught since most everyone there knew and could vouch for everyone else, then selling to them exclusively. He became known for delivering the desired goods in a far more timely fashion than could be acquired elsewhere and made those congregation points far more popular in the process. It was interesting to watch this occur. I observed for more than a year and rather enjoyed the constant female attention his customers lavished, you can probably see how that would work, the more you hang out with the supplier, the more deals you get.... In real life, he made a little over minimum wage, and oddly was my boss, then my employee.

Sigh, college life, how we miss you...

Similarities to drug dealers

[Anonymous Coward]

I work in Criminology and know that studies that focus on drug dealers show that they make far less than what most people imagine. Instead, many are in it because they need to add to their existing, legitimate, source of income or because they are attracted to the lifestyle. Its very possible that many phishers are tolerant of the low income simply because they enjoy living the lifestyle. Anyone interested in looking into the other possible links might want to read this [ingentaconnect.com].

wrong

[Anonymous Coward]

They make some assumptions that simply aren't true. They seem to imply that there is no barrier to entry. That there is neither a technical barrier nor a moral one and that there will simply be as many phishers as there can be until the money drops below minimum wage.

On the analogy of drugs that some have suggested there are two completely different kinds of drug dealers; those that get high off their own supply and those that don't. Those that don't tend to make pretty good money. I've known more than one who put themselves through school dealing drugs.

Re:Not really all that big a surprise

[fishbowl]

"As soon as they tried to order something, I noticed. I had the card disabled, the merchant stopped shipment on the goods, and so on. The thief didn't get squat."

Didn't get caught either. Merchant should have shipped "the goods" and had federal marshals "deliver them".

Re:Need a new plan

[morgan_greywolf]

Ummmmmmmm.....not quite. Depends on what you're selling and who you're selling it to. While Freakonomics covers crack dealers, crack isn't really all that lucrative. I personally know at least 5 different people -- none of whom know each other beyond acquaintance -- who at various times made a killing selling (primarily) marijuana. None of those people would have sold an ounce of crack, mostly for the reasons outlined in Freakonomics.

Re:Or they just value it higher

[digitalunity]

Stripping as a career is not economically rational.

As a person with several strippers for friends, let me enlighten you on market forces in this industry.

Stripper income can be strongly affected by people's perception of the health of the local economy. This effect has a negative correlation with population, meaning that clubs in small towns are even more sensitive to economic change. Belt-tightening can happen in strip clubs the same as anywhere else.

Last but not least, strippers age. As they get older, the physical requirements of the job become too difficult, particularly pole/cage dancing. As you age, you become less desirable and working in premier clubs becomes impossible. The end result for many strippers is they move from seedy to seedier clubs, turn to hooking or simply get a day job. The years spent stripping doesn't help them get a good job either, since the ability to spin around a pole at 1 RPM doesn't help them operate a computer or balance a register.

Working as a stripper for a long term career is a fiscally irrational decision, given that the income is neither stable nor will last for the duration of the time you need money. However, stripping your way through college is a rational decision and I support college-going women's decision to be strippers.

Re:Minimum wage in the US

[martin-boundary]

Those 66% are quoted Gartner estimates from 2006 in ref[13]. The funny thing is that refs 12-14 are Gartner reports, and TFA criticizes their methodology (including [13]) in sections 5.1.4 and 4.2.2, because they don't actually want to accept Gartner's findings of large statistical differences over the years studied. Seems like picking and choosing to me.

Re:That's actually waht they argue

[Eivind]

That fails to work with most sensibly designed token-systems, because there's either a timestamp involved, or the tokens are required in a certain sequence.

For example, to log into my bank, I need to enter my account-number and pin, then it'll ask me for say token #37, which I can get from the token-thing. If a phisher got my pin and account-number and somehow convinced me to enter a few tokens, he'd still have low odds of suceeding, because he doesn't KNOW which tokens to ask me for, since he doesn't know which ones the bank will ask for next time.

He can MITM-it offcourse, but even this is tricky since a user-side SSL-certificate is used, he could get this, but it requires 3 tokens and most people would get suspicious since normal logins normally only require a single one.

Re:Minimum wage in the US

[phedre]

This is all utterly ridiculous anyway. I've seen too many people unwilling to do LEGAL forms of work, when even a day labor job or a McDonald's job would bring in more money than they have now. Simply put, they would rather be broke than put in a days work.