New York Times has a good article on the growing phishing epidemic.

On how much money phishers make:

In February, Alec Scott Papierniak, 20, a college student in Mankato, Minn., pleaded guilty to wire fraud. He had sent people e-mail messages with a small program attached that purported to be a "security update" from PayPal. The program monitored the user's activity and reported their PayPal user names and passwords back to Mr. Papierniak.

Prosecutors say that at least 150 people installed the software, enabling Mr. Papierniak to steal $35,000.

While most of those prosecuted so far for phishing have been in the United States, eBay, working with the Secret Service, has investigated a series of scams originating in Romania. More than 100 people have been arrested by Romanian authorities. One of them, Dan Marius Stefan, convicted of stealing nearly $500,000 through phishing, is now serving 30 months in a Romanian prison.

On how much it costs companies:

The financial losses of most phishing victims, particularly those subject to credit card fraud, often end up being absorbed by banks and their insurance companies.

But the costs are real."We get 20,000 phone calls every time one of those goes out, and it costs us 100 grand," said Garry Betty, EarthLink's chief executive. "I got so mad one month when we had eight attacks," he said, explaining that he is pressing his legal department to find someone important to make an example of.

100 grand for each attack and it costs nothing but an afternoon for phishers to launch a phishing attack.  If and when the spamming tide turns for the better, we'll also have a growing number of pissed off spammers with the motive and incentives to turn to phishing.  Hmm.

The combined picture is not pretty, even if the phishing attempts are not successful.  Microsoft could also face lawsuits from companies whose bottomlines are being hit by phishers and be forced to remove HTML e-mail feature out of Outlook and add anti-phishing features to IE.

More on Phishing.