Forensic characteristics of phishing petty theft or organized crime?

Phishing, as a means of pilfering private consumer information by deception, has become a major security concern for financial institutions and their customers. Gartner estimated losses in 2006 to phishing in the US were approximately USDS2.8 Billion. Little has been published on the forensic characteristics exhibited in phishing e-mail. We hypothesize that shared features of phishing e-mails can be used as the basis for grouping perpetrators using at least a common modus operandi, and at most, a level of criminal organization - i.e., we suggest that phishing activities are carried out by a small number of highly specialized phishing gangs, rather than a large number of random and unrelated individuals using similar techniques. Analysis of repeated phishing e-mails samples at a major Australian financial institution - using a criminal intelligence methodology - revealed that 6 groups, from a sample of 500,000 spam e-mails, could be uniquely classified by constructing simple decision rules based on observed feature sets, and that 3 groups were responsible for 86% of all incidents. These results suggest that - at least for the institution concerned - there appears to be a level of criminal organization in phishing attacks.