… each respondent to a Nigerian 419 email requires a large amount of interaction, as does the Facebook “stuck in London scam.” Credentials may be stolen by the millions, but emptying bank accounts requires recruiting and managing mules. The endgame of many attacks require per-target effort. Thus when cost is non-zero each potential target represents an investment decision to an attacker. He invests effort in the hopes of payoff, but this decision is never flawless.
(H/T: Marginal Revolution)