Microsoft: Phishing losses greatly over-estimated

Phishers make much less from their scams than analysts have estimated, according to research from the software maker
Written by Tom Espiner, Contributor

The financial losses experienced by victims of phishing scams may be up to 50 times less than estimated by analysts, according to a Microsoft study.

Previous studies by organisations such as Gartner, which in 2007 estimated US phishing losses at $3.2bn (£2bn), "crumble upon inspection", Microsoft researchers said in their report, published on Tuesday.

Nevertheless, stories of easy money may be encouraging a phishing "gold rush" effect, where large numbers of newcomers enter the phishing business expecting huge returns, only to be preyed upon by more experienced phishers, according to A Profitless Endeavor: Phishing as Tragedy of the Commons.

The study, undertaken by Microsoft researchers Cormac Herley and Dinei Florencio, also suggests there is less profit than thought in phishing because there is only a limited number of people who will be fooled by the scams, and that pool gets smaller as the scams claim victims.

"Phishing is a classic example of tragedy of the commons, where there is open access to a resource that has limited ability to regenerate," the authors say in their report. "Since each phisher independently seeks to maximise his return, the resource is over-grazed and [on average] yields far less than it is capable of."

Instead of getting a maximum return for a minimum effort, the majority of phishers make a weekly wage of hundreds, rather than thousands, of dollars, the researchers said.

"Far from being a path to riches, phishing appears to be a low-skill, low-reward business," says the study. "The enormous amount of phishing activity is evidence of its failure to deliver riches, rather than its success, as phishers send more and more email hoping for their share of the bounty that eludes them."

The researchers suggested reasons why phishing victims' financial losses may have been overestimated by phishing studies. Fraud victims have a tendency to exaggerate their loss. Also, they pointed to problems with the methodology, such as failure to contact a representative sample of the population, or to factor in margins of error.

Microsoft estimated US victims lose $61m (£40m) to phishing schemes each year, in contrast to figures such as Gartner's $3.2bn (£2bn) or Javelin's $367m (£240m).

However, Gartner on Friday defended the methodology behind its figure, saying it had employed professional survey companies to undertake its surveys.

"The survey companies screen out refusal rate, self selection, and the other criticisms Microsoft had about the methodology," said Avivah Litan, a Gartner phishing expert. "Since the financial services and retail industry do not publish numbers on phishing losses, we must get those numbers from consumers who are surveyed using the best methods available. Even with the margin of error, the survey results we have seen year after year with regards to phishing attacks and their damage are remarkably close, giving us confidence in the numbers."

Litan criticised the Microsoft study, saying the Microsoft researchers had not taken into account complexities in their model of the underground cyber-economy.

"It's very misleading for the authors only to look at the phishing industry without looking at the malware business," said Litan. "In fact, it renders their entire economic argument meaningless."

One objection to Microsoft's economic argument is that phishing as a business would die out if it were not highly profitable. The Microsoft researchers suggested that new, inexperienced phishers are constantly being pulled in, attracted by "stories of instant riches". These newcomers are then open to being scammed by veteran cybercriminals.

"One explanation of the thriving trade in phishing-related services is that phishers with more experience prey upon those with less," said the researchers. "Those who have tried phishing and found it unprofitable, or marginally profitable, find it better to sell services to those who haven't reached that conclusion yet."

In this scenario, a resource such as a botnet can be rented out for more than it will yield "if the buyer overestimates the likely return".

Editorial standards