What Is Phishing – Then & Now

Phishing has been around since the early 1990s, and while the intention has stayed the same, new ways to exploit victims are still evolving.  Phishing is still one of the highest ways a company can come under attack. According to the PHISHLABS publication of the 2019 Phishing Trends and Intelligence Report, phishing grew 40.9% in the US in 2018.  While it is difficult to comprehend the full impact of phishing scams, the FBI stated the result for US businesses could be around $5 billion a year.  Every business owner needs to have a good understanding of the impacts of phishing. This article will review the history of phishing and where it is today.

What is Phishing?

According to Wikipedia, “Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication.” A single phishing attack can lead to devastating results for a business. Almost any kind of organizational data can be valuable, whether used to commit fraud, access an organization’s network, hold it for ransom, or placed on the dark web.

History of Phishing

The term phishing was first recorded on January 2, 1996, by a Usenet newsgroup called AOHell. The reason for the use of “ph” instead of “f” is the earliest hackers were known as phreaks. Phreaking refers to the exploration and study of telecommunication systems.

Phishing attacks began by stealing passwords and credit card numbers through AOL. Hackers would open AOL accounts with the stolen information and start spamming other users for a wider variety of credentials and personal information. AOHell would provide special programs to simplify the process. AOL put an end to this practice in 1995, by increasing security measures to prevent the use of randomly generated credit card numbers. When AOL shut down the credit card scam, phishers took to email. They would send messages pretending to be AOL employees. Those messages asked customers to verify their billing information, unsuspecting users fell for this method, forcing AOL to include warnings on all email to alert of this type of abuse.

Phishing Evolves

The objective of phishing has not changed a lot over the years; however, construction and industries targeted have evolved. There was a time when detecting a phishing email required looking for misspelled words, foreign language inserted, logos discolored, and the email address from the sender did not match the business. That’s not the case anymore. Although the Nigerian Price scam has become passé, there are different versions of the same story, directed towards different sub-groups.

Over the years, phishers have been evolving their techniques and trying to evade detection. Phishing took form towards financial intuitions, trying to receive bank account numbers and SSNs. The emails became a sense of urgency, stating that you needed to click right away. They asked you to download the attachment in the email. Attacks even became automated campaigns to increase the odds of stealing someone’s credentials. As technology evolved, so did the phishing scams. Businesses and law enforcement officials continue to try and stay ahead of these types of attacks by increasing efforts in anti-spam techniques.

Phishing Today

Phishing has become a highly organized industry. A hacker can purchase a phishing kit through the dark web. These kits contain the necessary tools needed to create a phishing campaign. They are so prevalent that a criminal can define the target, type of evasion method, and software. Cybercriminals have taken to using large corporations to target and mimic websites such as Target, Google, Amazon, PayPal, Apple, Uber, Walmart and Macy’s.

While extending their reach to include successful corporations, they also include a personal aspect that targets unsuspecting victims. Hackers found the more personal the email, or relevant to the targeted interests, the more likely they will interact with the email.

Phishing has also come to take different directions with technology. Traditionally phishing was carried out via email. Modern-day phishing attacks target multiple platforms, utilizing social networks and cloud-based services. In recent years there has been a significant rise in phishing carried out in text message (smishing), phone calls (vishing), social media, and mobile applications. For instance, you may receive a text, followed by a phone call, which then encompasses an email. Businesses must keep up with the latest trends and educate themselves on how to identify a phishing scam.

Timeline of Phishing Incidents

1995 – Random credit card generators

1996 – The term “phishing” introduced

2000 – The ILOVEYOU virus

2001 – Attacks E-Gold

2003 – Attacks eBay & PayPal

2004 – Attacks online banking sites

2005 – Anti-SPAM Programs

2009 – Operation Phish Phry

2013 – The Target Data Breach

2016 – Democratic National Committee Breach

2018 – Booking.com Breach

2019 – 4.7 billion recorded as phishing emails