The amount of time and money it takes to send out 10 million phishing emails versus five million emails is negligible once the attacker has his infrastructure in place. As a result, these attacks are still quite prevalent, despite their diminishing economic return. But even with relatively low returns per attack, these kinds of scalable attacks yield a high profit for professionals, said Cormac Herley of Microsoft Research."Non-scalable attacks have to be selective attacks. Every attack costs you something," Herley said. "If the non-scalable attacks can't match the return of the scalable attacks, she should change tactics. At equal costs, she needs a way better yield. But competing on yield makes no sense because when she extracts the same value per victim, there's too much effort."