A Profitless Endeavor: Phishing as Tragedy of the Commons

Proceedings in the New Security Paradigms Workshop |

Published by Association for Computing Machinery, Inc.

Conventional wisdom is that phishing represents easy money. In this paper we examine the economics that underly the phenomenon, and find a very different picture. Phishing is a classic example of tragedy of the commons, where there is open access to a resource that has limited ability to regenerate. Since each phisher independently seeks to maximize his return, the resource is over-grazed and yields far less than it is capable of. The situation stabilizes only when the average phisher is making only as much as he gives up in opportunity cost. Since the picture we paint is at variance with accepted wisdom we check against several publicly available data sources on phishing. We find the oft-quoted survey-based estimates of phishing losses unreliable. In particular the victimization rate found in most surveys is smaller than the margin of error, and dollar losses are estimated by averaging unverified self-reported numbers. We estimate that recent public estimates overstate phishing losses by as much as a factor of fifty. This economic portrait illuminates our enemy in an entirely new light. Far from being a path to riches, phishing appears to be a low-skill low-reward business. The enormous amount of phishing activity is evidence of its failure to deliver riches rather than its success, as phishers send more and more email hoping for their share of the bounty that eludes them. Repetition of questionable survey results and unsubstantiated anecdotes makes things worse by ensuring a steady supply of new entrants.