The Microsoft report on the profitability of phishing and its associated economic constraints is reminiscent of another illegal enterprise: street-level drug dealing. Microsoft released a report stating that phishing is no where near as profitable as commonly believed. If you have not read the report or Dancho's review of the paper, I suggest you head over there now. Since I am a little slow in the head, it took me a few days to process the results of the work, but I did reach a few insights of my own.
First of all, I was always bothered by the rate of phishing in the mail stream. Most security firms put it at around .1% to .5% of the total mail volume. If phishing was so profitable, it should have a volume that is comparable to that of spam, as the technologies to combat each in the e-mail stream are not that different. The low volume is only explained by the relatively unprofitability of phishing when compared to spam.
Second of all, there is another illegal activity that obeys similar economic constraints. While the public believes drug dealers are generally wealthy, sociologist Sudhir Venkatesh has shown that street-level drug dealers basically make around minimum wage. The corner drug trade is highly competitive for territory, requires little skill, and has plenty of laborers willing to step up to a newly opened slot at the bottom. In business-lingo, the amount of competition for market share at the bottom of the supply chain creates a downward pressure on labor costs. Apparently the same is true of phishing.
Now we are left to ponder the follow-up question. If phishing is already unprofitable for the people at the bottom, can we ever make the problem go away?