Copyright © 2009 What The Hell? Security
This much is hardly news, but six months ago two Microsoft researchers published a paper titled A Profitless Endeavor: Phishing as Tragedy of the
Commons. It presents a provocative case that the aggregate financial impact of phishing is on the order of 1/50th that suggested by surveys of U.S. online consumers. And we’re not talking $27.41 vs. $1370.50. We’re talking US$61 million vs. US$3 billion.
My personal experience tells me we might never know the cost of phishing. For one, in the proverbial good old days, phishing used to have a tidy set of causes and effects. Nowadays phishing begets malware begets phishing begets malware ad infinitum. Good luck trying to unravel that knot.
In 2007, I attended a meeting of the Anti-Phishing Working Group (APWG) with what I guessed to be 300 hundred other people from around the world. They represented a cross section of businesses such as banks, brokerages, retailers, and even major credit card labels. I went there specifically to gauge the true financial impact of phishing firsthand, having spent at least fifty fruitless hours trying to do the same with search engines.
I prowled around the first half day introducing myself and asking people what they hoped to accomplish by the end. I used that as a segue to tell them what I was after, hoping they’d drop me a few bones. After striking out with a couple of bank VP’s (“We have it pretty much under control”) I tried a fellow from Visa whom I happened to be sitting next to. I asked him straight out if Visa knew how much phishing was costing the industry. He responded that they had a very good idea of the cost, but would not divulge it publicly.
During a panel Q&A, I addressed the crowd saying that while I believed in phishing as a phenomenon — an understatement if there ever was one — I would play devil’s advocate and assert that it was purely a press sensation with no financial impact at all. And would anybody like to contradict me.
For a good 30 seconds everybody looked around the room hoping somebody else would speak up. Then we all broke out laughing. Harder when one of the panel members said he had a really good idea gleaned from help he had provided the U.S. Treasury. The numbers, he said, were not exactly secret but they had asked him not to tell anybody.
As I walked back to my seat I heard the rear door of the hall click open. I turned around just in time to see a great big elephish tiptoe out into the foyer.
