A couple or advanced references...

Hash: SHA1

Credit card fraud was the most common form of reported identity
theft at 23 percent, followed by utilities fraud at 18 percent,
employment fraud at 14 percent, and bank fraud at 13 percent.

Right, but that may or may not have anything to do with the Internet;
see Identity Theft Study - Schneier on Security
(among many others).

Right -- which why I mentioned "fudge factor". :wink:

While I don't disagree completely with those studies, I do think
that they may not be currently accurate (but I have no way of knowing
that, of course -- the people who underwrite the losses keep this
information very much out of the public eye).

In any event, the level of "professionalized" effort and sophistication
employed in all levels of these criminal endeavors indicates that
there is indeed a financial incentive to pursue their efforts.

And unfortunately there seems to be enough "low hanging fruit" for
it to make it financially fruitful.

My angle really has very little to do with ISP-level mitigation of
these issues -- unfortunately, it has become an issue of incident
handling, notification, and response.

This has become a major issue in most of the Internet -- an issue
which most ISPs themselves are fairly insulated from (with the
exception of ISPs who administer residential broadband networks).

If ISPs think the only problem "out there" are DDoS attacks, they are
woefully naive.

- - ferg