We ran some numbers once, as part of my research, and it's something like if a single person gets caught, it is worth it to the spammer only if they sent out less than something like 500,000 pieces of spam. That's assuming he has a program which runs to substitute or fill the email address. We based that on the average power draw of a desktop, at the average electricity costs in the US, etc.
If the spammer is using a botnet (much more likely), they have to capture, on average, 8-10 people with their scam to make the investment in the botnet itself worthwhile. These things actually cost money, you see, for the spammer to buy. Factor in that its often phishing messages, and the numbers drop quite a bit, but that totally depends on who they catch, and what. Your credit card number, if it's been verified, is only worth a few bucks on the black market. That's it.
Bank accounts are often worth more than what's in them, as on average (this is the scary part) they are able to drain it twice. Not just once, but twice. People just don't learn. You would think they would change the password, but what often happens is that it gets drained right before and right after a paycheck hits it. Not sure why they don't wait, but I guess maybe they are worried about automatic payments stealing some money, or some **** like that?
A few years ago a guy in Colorado actually took the "Penis Enlargement" folks to court, claiming false advertisement. He might have had a small penis, but he had HUGE balls for being willing to take it that far. Figuratively speaking, of course.