Chapter 15. Plenty of Phish in the Sea

Phishing (attempting to steal passwords or other sensitive information by posing as a trustworthy website) is one of the biggest concerns in the security industry today. It’s a problem that many security technologies are trying to solve, and it’s getting a lot of press by banks, particularly ones that are frequent targets of these attacks. Frankly, that’s most banks these days.

Certainly, the impression we’re supposed to get is that phishing is easy money and people are getting rich. But an interesting report [5] came out recently that argues why that isn’t the case.

The authors of that report cleverly compare phishing to traditional fishing (yes, with an “f” instead of a “ph”). As you get more fishermen, there are fewer fish to catch, and the fishermen have to work harder to catch the same number of fish (usually they go farther out to sea and work longer).

In the phishing world, it’s the same, except there’s only one kind of phish to catch (let’s call the breed “suckerphish”). The pool of potential phishing victims doesn’t grow very fast. And, once people have been phished, not too many of them get thrown back into the pond (meaning that people who have been phished before are generally more wary and less likely to be phished again).

If there are lots of bad guys phishing, it’s problematic for all the bad guys. They have to try harder to find victims, meaning far more phishing attempts, and the bad guys are each going to make less money (on average). ...

Get The Myths of Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.