Phishing has reached operational maturity as a commercial enterprise. The infrastructure is professional; the operators are organised; the cost-benefit favours the attackers. This post is a structural assessment of how the category has evolved since I first wrote about it in 2001, and what defenders should now expect.
The content is substantive enough that the post will run longer than my recent ones. The category deserves the careful treatment.
What is mature in the phishing infrastructure
Four specific components are now operationally mature.
Toolkits. Off-the-shelf phishing toolkits are widely available in underground markets. They include site templates for major banks, automation for credential collection, payment-card harvesting, and various anti-detection techniques. The skill barrier to operating a campaign has dropped from "experienced developer" to "someone who can follow installation instructions".
The specific toolkits I have seen analyses of include site templates for hundreds of financial institutions worldwide. The templates are kept current — when a target bank updates their site, the toolkit is updated within days. The toolkit operators are running what looks like a software-as-a-service business, with versioning, customer support (yes, really), and competitive pricing.
Bulletproof hosting. Specific hosting providers explicitly tolerate phishing operations. They are typically based in jurisdictions with limited international cooperation on cybercrime, and they offer hosting at premium rates with explicit promises that they will not respond to takedown requests.
The "bulletproof" designation is, in practice, partial. Sites still get taken down — by upstream pressure, by domain registrar action, by the hosting provider eventually responding when the legal pressure is sufficient. But the takedown latency is hours to days rather than minutes. During that window, the site is operational.
The response from the legitimate hosting industry has been uneven. Some providers actively cooperate with takedown requests; some do not. The economic incentives are such that even legitimate providers are slower to respond than the security community would like.
Money-laundering infrastructure. Captured credentials are converted to money through several mature pathways. The most common involves money mules — individuals (often unwitting, recruited through fake job postings) who receive fraudulent transfers and forward them to accounts controlled by the criminals.
The mule infrastructure is itself a category. Recruitment is professional; the mules are paid in advance for their first few transactions; the criminals manage the relationship across multiple jurisdictions to maximise the difficulty of investigation.
More recently, cryptocurrency-style mechanisms (e-gold, in 2005, is the most prominent) provide alternative cash-out paths. The legitimate financial system is becoming somewhat better at detecting fraudulent transactions; the underground response has been to route through alternatives.
Targeting data. Stolen marketing databases provide demographic targeting that the early phishing campaigns lacked. Recipients are increasingly likely to actually be customers of the targeted brand. The response rate per email has correspondingly grown.
The sources of targeting data include: leaked corporate marketing lists, compromised customer databases, harvested email addresses with associated demographic enrichment. The underground markets for this data are themselves substantial; targeting data is a tradeable commodity.
What this teaches structurally
The phishing category has moved beyond what technical defences alone can address. The toolkits, the hosting, the money-laundering, and the targeting data all combine into an operational ecosystem that is more resilient than any single component.
Three specific implications:
Technical filtering catches the obvious cases but not the sophisticated ones. Mail-relay filters catch generic phishing volume. They miss campaigns that use specific demographic targeting, that use plausible sender domains, that have professional visual fidelity. The sophisticated campaigns get through.
User education has bounded effect. Telling users to be cautious about clicking links works for some users some of the time. It does not work consistently. The sophisticated phishing has visual fidelity high enough that even cautious users sometimes fall for it.
Authentication mechanisms are the structural answer. Two-factor authentication — where the credential alone is not sufficient to authorise transactions — is the only mechanism that meaningfully reduces phishing's effectiveness. Even sophisticated phishing produces only credentials; if credentials alone do not produce access, the phishing is much less valuable.
The defensive responses
Four defensive responses are forming, at uneven rates.
Industry coordination. The Anti-Phishing Working Group has matured into a serious coordinating body. It collects reports from member organisations, shares takedown templates, coordinates with hosting providers, and produces public statistics. The operation is non-trivial; the impact is bounded but real.
Browser-toolbar partnerships. Several banks are partnering with browser vendors to ship toolbars that visibly indicate the legitimate site or warn against suspected phishing pages. The first generation of these (2003–2004) was rough; the current generation is somewhat better. Adoption is uneven; the toolbars are most effective among already-cautious users.
Two-factor authentication, slowly. Some UK banks are beginning to deploy two-factor authentication for online banking, primarily through hardware tokens or one-time-code via SMS. The deployment is partial — most banks have it for some operations (large transfers, password changes) but not for routine login. The trajectory is positive but slow.
Customer education campaigns. All UK banks now have visible anti-phishing customer-education campaigns. The effectiveness is hard to measure; the volume of education is meaningful. The campaigns probably reduce the response rate among newly-targeted customers; long-time customers have already heard the messages enough that further education has diminishing returns.
What operators should do
For anyone running infrastructure that handles customer authentication:
Deploy two-factor authentication for sensitive operations. Not just for the highest-risk transactions; for any operation where credential theft would be operationally consequential. The cost is modest; the security improvement is substantial.
Audit your password-reset workflows. Many phishing operations target the reset workflow rather than the login workflow, because reset is often less protected. The reset path should require at least the same authentication strength as login.
Monitor for impossible-pattern logins. Logins from a customer's normal IP range followed shortly by logins from a different country are a strong signal of credential theft. The detection is not difficult; the response (challenge the second login with additional authentication) is straightforward.
Educate customers, but expect bounded results. The education does help; it does not solve the problem. Education plus structural authentication is much better than either alone.
For anyone running mail relay infrastructure:
Aggressive filtering for known phishing patterns. Subject-line patterns, sender-domain patterns, content patterns. The maintenance burden is non-trivial; the catch rate is meaningful.
Sender authentication where deployed. SPF, Sender-ID, DomainKeys. None is yet universal; partial deployment still helps.
Clear communication when phishing is suspected. A clear message to the user that a particular email looks like phishing, with specific advice, is more useful than silently filtering or unmarked rejection.
For anyone using online financial services:
Use two-factor authentication where available. Even imperfect 2FA is meaningfully better than passwords alone.
Use unique passwords for sensitive services. A password manager helps; the discipline of unique passwords is more important than the specific manager.
Verify unexpected emails out of band. A phone call to your bank using a number from your printed statements (not from the email) is the right verification mechanism.
Be suspicious of the texture of unexpected communications. Phishing has improved but is rarely perfect. Small textural cues — slightly wrong wording, slightly wrong formatting, slightly wrong workflow — are still detectable to attentive users.
What this implies for the next year
Three predictions, with probabilities:
Phishing volume continues growing. 95% probability, deadline end of 2005. The economic infrastructure favours the attackers; no structural change yet visible would reverse the trajectory.
A major UK bank takes a serious public hit from phishing. 70% probability, deadline end of 2005. The cumulative pressure is substantial; specific incidents are becoming more visible; one of them will be public.
Two-factor authentication for retail banking ships at a major UK bank. 60% probability, deadline end of 2005. The pressure is sufficient; the deployment cost is bounded; the trajectory points toward this being routine within 2-3 years.
A reflection on the category
Phishing has matured in ways I had not anticipated when I first wrote about it in 2001. The growth has been from "a category with some technical features" to "a commercial industry with mature infrastructure". The defensive response has been correspondingly slow.
The specific failure mode of the defensive response is that it has been distributed and uncoordinated. Every bank deploys their own anti-phishing measures; every browser vendor deploys their own toolbars; every operator deploys their own filters. The cumulative effect is substantial but the coordination is poor.
The attackers, by contrast, have managed to coordinate at the underground-market level. The toolkits propagate quickly; the techniques spread fast; the operational practice is shared. The asymmetry is uncomfortable.
What this teaches more generally
The phishing category illustrates a structural pattern that is increasingly visible across security:
The attackers operate as a market; the defenders operate as a collection of organisations.
This is the asymmetric structural problem of modern security. Markets are efficient at coordinating across many participants; organisations are not. Each individual organisation has bounded capacity to defend; the cumulative attacker capacity grows without bound as the market matures.
The response is, on the available evidence, going to require defenders to act more like a market — sharing intelligence, coordinating responses, deploying common infrastructure. The Anti-Phishing Working Group is one early example; the broader coordinated-defence model is years from operational reality.
For my own work: I will continue to participate in the coordinated-defence work where I can. The Honeynet Project is one channel; conference attendance is another; this notebook is a third. None of these is sufficient on its own; the cumulative effect across the security community is the only thing that scales.
A specific operational note
For anyone running a small business that handles customer financial data:
You are in the threat model. Phishing campaigns are no longer limited to major bank customers; smaller financial relationships are targeted as well. Customer credit-card numbers stored in your systems are at risk.
The disciplines from the small-business primer apply. Backups, updates, antivirus, strong passwords, email caution. None of these is specific to phishing; together they substantially reduce exposure.
Consider whether you actually need to store customer credentials at all. Many small businesses store credit-card numbers when they could be using payment-processor tokens that are not credentials in any meaningful sense. The reduction in stored data reduces exposure proportionally.
What I am doing on my own infrastructure
For my own setup: I have used unique passwords for years, two-factor where available, and the careful-with-email discipline that comes from years of writing about mail-borne attacks. My exposure to direct phishing is bounded.
For friends and family: an annual conversation about phishing patterns and what to do about them. The conversation does not reduce phishing volume but does reduce response rates among my immediate circle.
For the small organisations I help informally: incorporating phishing-defence into the standard advice. The advice is becoming more specific each year as the threat matures.
A closing observation
Phishing is a category that the security community is going to be working on for years. The economic infrastructure is too profitable; the technical defences are too partial; the structural responses are too slow. The cumulative cost — to consumers, to financial institutions, to the broader trust in online services — is substantial and growing.
The long-term answer is, on the available evidence, going to be a combination of: stronger authentication that does not depend on user-controlled credentials, better coordination among defenders, more aggressive law-enforcement response in jurisdictions that currently tolerate the underground markets, and gradual improvements in user education.
None of these is fast. The cumulative trajectory is positive but slow. The threat will outpace the response for some years yet.
For my own writing: more posts on this category as it develops. The specific incidents and techniques will produce material; the structural shifts will produce more material still.
More in time.
A deeper structural look at the phishing economy
I want to extend this post with a more careful examination of the phishing economy as a system. The earlier sections describe specific components; this section frames the system as a whole.
The supply chain
The phishing operation breaks into several distinct stages, each with its own specialists.
Stage one: target acquisition. Specific individuals or operators specialise in compiling target lists — email addresses with associated demographic data. The lists are sold or rented; the prices reflect the freshness and quality of the data. A list of recent customers of a specific bank, with names and email addresses, is more valuable than a generic list of email addresses.
The sources of target acquisition include: compromised marketing databases, harvested public data, purchased data from dubious sources, and direct compromise of customer-relationship management systems at retailers and service providers. The supply continues to grow as more organisations have customer data and as more of those organisations are compromised.
Stage two: campaign infrastructure. Specific operators build the campaign infrastructure — the phishing pages, the mail-sending capacity, the credential-collection back-end, the operational tooling for managing the campaign. The infrastructure is increasingly automated; the campaign launches require less skill than they did a few years ago.
The infrastructure operators may run the campaigns themselves or rent infrastructure to other operators. The model is similar to legitimate service-provider relationships — the infrastructure is one product; the operations are a separate product.
Stage three: campaign execution. The actual phishing campaign launches — emails sent, pages served, credentials collected. The campaign duration is typically short (days to weeks) before the infrastructure is rotated. The collected credentials are aggregated into a database.
Stage four: credential exploitation. The collected credentials are converted into money. The exploitation typically involves logging into the targeted accounts, attempting transfers or fraudulent transactions. The exploitation specialists may not be the same people who ran the campaign; the credentials are sold or rented to exploitation operators.
Stage five: cash-out. The fraudulent transactions need to be converted into actual money the criminals can use. Money mules, intermediated payment systems, cryptocurrency exchanges (in 2005 this is mostly e-gold) are the cash-out paths. The specialists in this stage operate across multiple jurisdictions to maximise the difficulty of investigation.
Each stage has its own specialists; transactions between stages happen in underground markets; the supply chain operates across multiple jurisdictions.
The economics
The specific economics of the phishing operation, as best I can reconstruct from the available reporting:
Per-credential value: £1-50 depending on quality. A captured online banking credential with associated personal information sells for substantially more than a captured email-account credential alone.
Per-campaign cost: £500-5,000 depending on scale and sophistication. A modest campaign targeting a single bank costs less than a sophisticated campaign with custom infrastructure.
Per-campaign revenue: £10,000-100,000 depending on success rate. A successful campaign captures several thousand credentials; a fraction of those produce monetisable transactions; the cumulative revenue is substantial.
Marginal cost per email sent: essentially zero. The infrastructure cost is largely fixed; sending more email per campaign does not meaningfully increase the cost.
The cost-revenue ratio favours the attackers by a substantial margin. Even campaigns with low success rates are profitable; campaigns with moderate success rates are highly profitable.
The defensive economics
The defensive economics are structurally worse. The cost of defence is substantial; the cost of compromise is borne primarily by victims who are not the operators making the defence decisions.
Per-customer education cost: Several pounds per customer per year. Banks spend substantial sums on customer education; the effectiveness is bounded; the cost is sustained.
Per-incident cleanup cost: Several hundred pounds to several thousand pounds per affected customer. Banks absorb the fraud losses; customers absorb the time-and-stress cost.
Mitigation infrastructure cost: Substantial fixed cost. Anti-phishing infrastructure, monitoring services, customer-protection systems, two-factor authentication. The investment is sustained; the per-customer cost is bounded but real.
Per-incident regulatory cost: Variable. Some incidents trigger regulatory action with substantial costs; many do not.
The defensive economics produce continued investment but the investment is structurally insufficient to outpace the threat-side growth. The gap continues to widen.
What might shift the economics
Three things, each unlikely in the near term:
Substantial reduction in the underground market. If the underground markets where phishing services are bought and sold are disrupted at scale, the supply chain breaks. This requires international law-enforcement cooperation that does not currently exist at sufficient scale.
Universal two-factor authentication. If credentials alone become insufficient for transactions across all major financial services, the value of phishing drops substantially. The deployment is partial; universal deployment is years away.
Liability shift to financial institutions. If banks are required to absorb losses from phishing-related fraud without recourse to customers, the incentive for stronger defence increases. Some jurisdictions have moved in this direction; the trajectory is uneven.
None of these is imminent. The cumulative trajectory points toward continued growth in phishing volume and impact for the next several years.
What this teaches operators
The specific defensive disciplines I described in the earlier sections continue to apply. The structural framing adds context.
For any operator running customer-facing infrastructure: the assumption that phishing is a problem only for the largest financial institutions is no longer correct. Smaller operators are increasingly targeted; the supply chain has scaled to make smaller targets economically viable.
For any operator running infrastructure that handles authentication: the credential-only authentication model is no longer adequate for sensitive operations. Two-factor authentication, even imperfect, substantially reduces the value of stolen credentials.
For any operator running infrastructure that processes financial transactions: anomaly detection on transaction patterns is increasingly important. The phishing-followed-by-fraud pattern produces specific behavioural signatures that can be detected.
More as the year develops.