Gunter Ollmann, chief security strategist for IBM Internet Security Systems, identifies three tiers in this unfolding criminal industry: low-level criminals who buy and use kits to execute specific crimes; skilled developers, often in groups, working to develop new components for their commercial malware-creation products; and "managed service providers" that can apply and sustain malware attacks on a global scale.

Meeting these threats will require a three-pronged initiative, according to the report: technology, regulation, and education. Technology such as DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to sign e-mails, coupled with user education, can almost entirely eliminate phishing as a problem, according to some security researchers. One possible avenue for government regulation is modeled on auto insurance, which auto owners in most states are required to buy. Government could require purchase and update of appropriate security applications, according to researchers.