It is a pure and simple matter of statistics. The phishing attempts that most people have become accustomed to are those that are sent to the widest range of addresses – you know, the Paypal, Washington Mutual, and Smith Barney emails you get with the embedded jpeg asking for your account information. The only problem is, you don’t have an account at any of those places. So, the phishers blanket inboxes hoping to catch just a few suckers that do. The low cost of implementation doesn’t help – sending email is cheap, cheap, cheap.
Huge distribution X low rate of success = some big dollars.
However, the opposite methodology could be applied as well, and it is.