Conventional wisdom is that phishing represents easy money. In this paper we examine the economics that underly the phenomenon, and ﬁnd a very different picture. Phishing is a classic example of tragedy of the commons, where there is open access to a resource that has limited ability to regenerate. Since each phisher independently seeks to maximize his return, the resource is over-grazed and yields far less than it is capable of. The situation stabilizes only when the average phisher is making only as much as he gives up in opportunity cost.
From “A Proﬁtless Endeavor: Phishing as Tragedy of the Commons” by Cormac Herley and Dinei Florencio of Microsoft Research.