Economics

The economics of phishing

Phishing scales because attackers modularize the work: traffic, templates, hosting, bots, credentials and cash-out can be bought, reused or outsourced.

Request demoRead researchOpen dashboard

Direct answer

How do attackers monetize phishing? Through credentials, sessions, card data, bank transfers, crypto wallets, mule accounts, fake support flows and resale markets.

Research framing

The economics of phishing explain why campaigns survive individual takedowns. The domain is disposable; the kit, cash-out route, traffic source and operator workflow are often reusable.

Attack mechanism

A campaign can combine a kit vendor, a traffic buyer, a hosting provider, a mule recruiter, a fake support route and a credential buyer. This modularity reduces cost and speeds redeployment.

Evidence and source model

Evidence includes repeated kit assets, panel paths, Telegram bot hooks, ad/search traces, payment artifacts, wallet reuse, IBANs, callback numbers and recurring source families.

Belgian and European relevance

Belgian fake investment platforms, banking lures, parcel scams and recovery-room fraud often reveal monetization through phone, WhatsApp, IBAN or fake dashboard journeys.

How PhishNet operationalizes this

PhishNet connects these economic artifacts through the fraud route graph, fake financial platform watch, mule-route extraction and export profiles for CCB/CERT and financial institutions.

Analyst implications

The operational question is not whether an isolated row looks interesting. The question is whether the signal is fresh, provenance-rich, corroborated, evidence-ready and connected to brands, sectors, infrastructure, kits, mule routes or public-warning context. PhishNet therefore presents confirmed, corroborated suspicious, review-candidate and context-only states separately.

Limits and uncertainty

Open sources show fragments of the market. Weak social/ad/search signals remain review-first until corroborated, official, archived or analyst-confirmed.

Research takeaway

Phishing intelligence becomes valuable when repeated structure appears: the same brand on new infrastructure, the same kit across domains, the same phone or IBAN route after takedowns, the same ad/search pathway, or the same evidence pattern in multiple independent source families.

How PhishNet uses this

Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.

Selected sources and research

These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.

APWG Phishing Activity Trends Reports ENISA Threat Landscape 2025 Why Phishing Works, Dhamija, Tygar and Hearst, CHI 2006 CCB Belgium: phishing messages surge Safeonweb phishing reporting FSMA warnings and sanctions BIPT reserved and allocated numbering database

Common questions

How do attackers monetize phishing?

Through credentials, sessions, card data, bank transfers, crypto wallets, mule accounts, fake support flows and resale markets.

Why track economics?

It reveals reusable bottlenecks that can be disrupted beyond one domain.

Related reading

Knowledge

Fake investment platforms

How cloned firms, fake trading platforms and recovery-room scams overlap with phishing intelligence.
Knowledge

Mule routes: IBANs, phones and wallets

Why payment and contact routes are central to phishing intelligence.
Knowledge

Malicious ads and search abuse

Why phishing increasingly competes for visibility through sponsored results, social ads and fake support pages.