It’s About The Money, Stupid – Or Is It?

I have been harping long and loud recently about the purpose of malware writing. It’s about the money. No one is writing viuses for notoriety, fun, and fleeting fame anymore. It’s about the money – it’s phishing, it’s spam, it’s botnets, it’s identity theft and credit card and banking fraud.

But there may be some relief. It appears that phishing, at least, has hit the wall of diminishing returns. A Microsoft study recently concluded that phishers efforts are rewarded less and less, in spite of an apprent increase in effort. It seems that phishers might have made similar money doing the same level of computer work in a legitmate line of endeavor. The study is quoted below, as reported in Good Morning Silicon Valley.

“Far from being a path to riches, phishing appears to be a low-skill
low-reward business. The enormous amount of phishing activity is evidence of its
failure to deliver riches rather than its success, as phishers send more and
more email hoping for their share of the bounty that eludes them. Repetition of
questionable survey results and unsubstantiated anecdotes makes things worse by
ensuring a steady supply of new entrants. … The picture that we end up with is
very different from the ‘easy money’ that is conventional wisdom. … The
average revenue for a given phisher is the same (or slightly lower) than he
would have made at another available occupation for his skill level. The easier
phishing gets the worse the economic picture for phishers. As phishers put more
and more effort into the endeavor, the total revenue falls rather than rises.”
An analysis by Microsoft researchers concludes that in terms of open access to
a finite resource that has limited ability to regenerate, the economics of phishing
and fishing are surprisingly similar


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.