Gerade habe ich mir eine interessante Studie durchgelesen: Phishing as a Tragedy of the Commons. Cormac Herley, ein Forscher bei Microsoft Research hat darin eine ziemlich radikale These aufgestellt:

Phishing bringt keinen (großen) Gewinn

Hier ein paar Auszüge:

Conventional wisdom is that phishing represents easy money. In this paper we examine the economics that underly the phenomenon, and find a very different picture. Phishing is a classic example of tragedy of the commons, where there is open access to a resource that has limited ability to regenerate. Since each phisher independently seeks to maximize his return, the resource is over-grazed and yields far less than it is capable of.

… Phishing appears to be a low-skill low-reward business. The enormous amount of phishing activity is evidence of its failure to deliver riches rather than its success. Repetition of “easy money" stories without scrutiny makes things worse by ensuring a steady supply of new entrants.

… We find the oft-quoted survey-based estimates of phishing losses so noisy as to be unreliable. In particular the phishing rate in most surveys is significantly smaller than the margin of error, and dollar losses are estimated by taking the average (not median) over a very small number of reporting victims.

Und Cormac kommt am Ende zum folgenden Schluss:

… Far from being an easy money proposition we claim that phishing is a low skill, low reward business, where the average phisher makes about as much as if he did something legal with his time.

Es dürfte also nur mehr eine Frage der Zeit sein, bis auch das Thema Phishing wieder der Vergangenheit angehört. Wenn nämlich der eigentliche Anreiz, der angeblich zu erwartende hohe Gewinn, ausbleibt, dann werden ja auch immer weniger Phishing Betrügereien die Folge sein. Mal sehen.

Weitere interessante Studien von Cormac Herely zum Thema Phishing sind:

und für alle, die gerne von öffentlichen Computern Ihre E-mails abrufen: