Cormac Herley
ABSTRACT
Conventional wisdom is that phishing represents easy money. In this paper we examine the economics that underly the phenomenon, and find a very different picture. Phishing is a classic example of tragedy of the commons, where there is open access to a resource that has limited ability to regenerate. Since each phisher independently seeks to maximize his return, the resource is over-grazed and yields far less than it is capable of. The situation stabilizes only when the average phisher is making only as much as he gives up in opportunity cost.
Since the picture we paint is at variance with accepted wisdom we check against several publicly available data sources on phishing. We find the oft-quoted survey-based estimates of phishing losses unreliable. In particular the victimization rate found in most surveys is smaller than the margin of error, and dollar losses are estimated by averaging unverified self-reported numbers. We estimate that recent public estimates over-state phishing losses by as much as a factor of fifty.
This economic portrait illuminates our enemy in an entirely new light. Far from being a path to riches, phishing appears to be a low-skill low-reward business. The enormous amount of phishing activity is evidence of its failure to deliver riches rather than its success, as phishers send more and more email hoping for their share of the bounty that eludes them. Repetition of questionable survey results and unsubstantiated anecdotes makes things worse by ensuring a steady supply of new entrants.
- http://ha.ckers.org/blog/20070508/phishing-social-networking-sites/.Google Scholar
- http://en.wikipedia.org/wiki/Overgrazing.Google Scholar
- http://www.darkreading.com/document.asp?doc id=116574&f src=darkreading section 296.Google Scholar
- http://fisherieseconomics.googlepages.com/openaccess.Google Scholar
- http://www.slate.com/id/2144508/.Google Scholar
- A. Odlyzko. Internet traffic growth: Sources and implications. Proceedings of SPIE, 2003.Google Scholar
- J. Conybeare and T. Sandler. State-sponsored Violence as a Tragedy of the Commons: England's Privateering Wars with France and Spain, 1625--1630. Public Choice, 1993.Google Scholar
- Federal Trade Commission. Identity Theft Survey Report. 2003. http://www.ftc.gov/os/2003/09/synovatereport.pdf.Google Scholar
- Federal Trade Commission. Identity Theft Survey Report. 2007. www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf.Google Scholar
- D. Florêncio and C. Herley. A Large-Scale Study of Web Password Habits. WWW 2007, Ban®. Google ScholarDigital Library
- Ford R., and Gordon S. Cent, Five Cent, Ten Cent, Dollar: Hitting Spyware where it Really Hurt. NSPW, 2006. Google ScholarDigital Library
- Gartner. Identity Theft Survey Report. 2005. http://www.gartner.com/press releases/asset 129754 11.html.Google Scholar
- Gartner. Phishing Survey. 2006. http://www.gartner.com/it/page.jsp?id=498245.Google Scholar
- Gartner. Phishing Survey. 2007. http://www.gartner.com/it/page.jsp?id=565125.Google Scholar
- H.S. Gordon. The Economic Theory of a Common-Property resource: The Fishery. Journal of Political Economy, 1954.Google ScholarCross Ref
- G. Hardin. The Tragedy of the Commons. Science, 1968.Google Scholar
- J. Franklin and V. Paxson and A. Perrig and S. Savage. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. Proc. CCS, 2007. Google ScholarDigital Library
- Javelin. Identity Theft Survey Report. 2003. http://www.javelinstrategy.com/uploads/505.RF Phishing.pdf.Google Scholar
- M. Jakobsson and J. Ratkiewicz. Designing Ethical Phishing Experiments: A Study of (ROT13) rOnl Query Features. Proc. WWW, 2006. Google ScholarDigital Library
- P.A. Neher. The Pure Theory of Muggery. American Economic Review, 1978.Google Scholar
- P. Ohm. The Myth of the Superuser: Fear, Risk, and Harm Online. UC Davis Law Review, 2008.Google Scholar
- Anti-Phishing Working Group. http://www.antiphishing.org.Google Scholar
- R. Thomas and J. Martin. The Underground Economy: Priceless. Usenix ;login:, 2006.Google Scholar
- P. Reuter. The (continued) Vitality of Mythical Numbers. Public Interest, 1987.Google Scholar
- S. Iudicello and M. Weber and R. Wieland. Fish, Markets and Fishermen: the Economics of Overfishing. Island Press, 1999.Google Scholar
- S.D. Levitt and S.J. Dubner. Freakonomics: A Rogue Economist Explores the Hidden Side of Everything. William Morrow, 2005.Google Scholar
- M. Singer. The Vitality of Mythical Numbers. Public Interest, 1971.Google Scholar
- T. Moore and R. Clayton. Examining the Impact of Website Take-down on Phishing. Proc. APWG eCrime Summit, 2007. Google ScholarDigital Library
- TrustE. Phishing Survey. 2004. http://www.truste.org/about/press release/09 29 04.php.Google Scholar
Index Terms
- A profitless endeavor: phishing as tragedy of the commons
Recommendations
Two-Pronged Phish Snagging
ARES '12: Proceedings of the 2012 Seventh International Conference on Availability, Reliability and SecurityPhishing causes billions of dollars in damage every year and poses a serious threat to the Internet economy. Among the many possible communication channels, electronic mail still remains the most commonly used medium to launch phishing attacks. In this ...
Socio-technological phishing prevention
AbstractPhishing is deceptive collection of personal information leading to embezzlement, identity theft, and so on. Preventive and combative measures have been taken by banking institutions, software vendors, and network authorities to fight ...
Countermeasure Techniques for Deceptive Phishing Attack
NISS '09: Proceedings of the 2009 International Conference on New Trends in Information and Service SciencePhishing is a form of online identity theft. Phishers use social engineering to steal victims' personal identity data and financial account credentials. Social engineering schemes use spoofed e-mails to lure unsuspecting victims into counterfeit ...
Comments