Lee Gomes's WSJ article today on phishers -- the Internet scam artists who induce people to fraudulently disclose personal financial informs -- has fascinating insight into the structure of phishing. Amazingly, the structure of phishing is not necessarily hierarchical within a single criminal enterprise. There is a division of labor, where independent contractors acquire the data (acquirers) and then sell it to others (pillagers), who raid ATM's or otherwise empty victims bank accounts. The acquirers and the pillagers apparently enter into contractual relationships over Internet chat boards, agreeing to split the spoils pursuant to a negotiation.
What is interesting, Gomes notes, is how this market between acquirers and pillagers is maintained through reputational credibility. Obviously, contracts to consummate illegal acts are unenforceable at law. Furthermore, traditional means for criminal enterprises to enforce obligations – namely force and threat of bodily or other harm -- are not as readily available in these Internet contracts. Accordingly, a system of trust and reputational capital has appeared, where pillagers who do not share the ill-gotten gains with the acquirers are quickly flushed from the market through posts on message boards. By contrast, pillagers who do share with the acquirers get repeat business, and presumably a rather lucrative division of spoils thrives. As a matter of game theory, the key is that the players in this market are repeat transactors. For a one-time phishing pillager, it would make sense to cheat the acquirer out of his share.
To be sure, it is quite difficult to celebrate the ingenious market structure of the Internet's current criminal scourge. Nevertheless, the structure does make some sense when you think about it, and by how it takes advantage of the Internet's distributed, atomized nature. For prosecutors, it raises an interesting question of whether these phishing market relationships constitute a criminal enterprise under, say, RICO statutes. As for a curious instance of an spontaneous organization of a market, it shows in some sense how markets are natural and irrepressible. This market devised its own currency (reputation), defined its own property and contract rules, and apparently has a equilibrium for division of spoils.
Question: How do the phishing acquirers induce the pillagers to honestly report how much money they have stolen? Why wouldn't an pillager simply underreport to the acquirer how much they stole? There must be some sort of receipting-system that has been worked out, wouldn't you think?