The history of Phishing

Phishing is a type of cybercrime that involves tricking individuals into giving up sensitive information, such as passwords or credit card numbers, often through the use of spoofed emails and fake websites. It has been around for decades, and its methods and techniques have evolved over that time. Let’s take a brief look at the history and evolution of phishing, and how organizations can protect themselves.

Early recorded instances of phishing date back to the mid-1990s, when hackers seized upon the explosive adoption of America Online for home internet service. Attackers found it all too easy to trick new AOL users into revealing their passwords and other sensitive information. Once a user’s AOL account was compromised, it could be used to spam and target other users. Phishing scams quickly advanced from using interesting subject lines in emails to sending emails from seemingly familiar contact names and companies. Hackers found ways to create fake AOL accounts using randomly generated credit card numbers and would then target others from the fake accounts. It did not take long before attackers were using AOL chat rooms and posing as AOL employees to collect sensitive information from unsuspecting users. These early phishing scams were relatively simple and sometimes easy to recognize, but they marked the beginning of a new era of cybercrime.

In the early 2000s, phishers began impersonating online merchants like eBay, Amazon, and PayPal. Phishers registered similar domain names and deployed websites intended to masquerade as popular online brands. Phishers made use of malware to distribute spoofed emails leading recipients to the fake sites, where victims were then tricked into “updating” their billing information and other sensitive information.

With the rapid rise of social media networks in the early 2010s, phishers learned to further personalize their messages with information collected from social media profiles. This refinement, known as spear phishing, is more often successful in tricking victims into falling for a phishing attack. The tactic has proven to be so successful for phishing actors, that they find and use similarly relevant personal information harvested from data breaches, sometimes found on the dark web.    

The evolving state of Phishing

With increased sophistication, phishing attacks have become one of the most common types of cybercrime. Some estimates show that over 150 million phishing attacks take place each day, and the number is growing. They are increasingly difficult to detect. Individuals, businesses, and government agencies are all subject to phishing attacks. Let’s explore how hackers are becoming more sophisticated in their attacks and evolving their strategies and tools to trick even the most cautious user into divulging important information.

Personalization: One of the most striking changes in phishing emails is the level of personalization they offer. Gone are the days of generic, mass-produced phishing emails. Today, phishing emails are tailored to the individual recipient, often including their name, address, and other personal details. This level of personalization makes the email seem more trustworthy and makes it more likely that the recipient will fall for the scam.

Urgency: Another tactic that hackers are using to increase the effectiveness of phishing emails is urgency. They create a sense of urgency by claiming that there is a problem with the recipient’s account or that their personal information has been compromised. The recipient is then instructed to click on a link or enter their information to rectify the situation, which of course leads to their personal information being compromised.

Artificial Intelligence: Artificial intelligence and machine learning algorithms are becoming increasingly popular in phishing attacks. These technologies allow hackers to automate the creation and distribution of phishing emails, and to make them appear even more realistic. For example, AI can analyze an individual’s email history and personal information to create a more convincing phishing email that is tailored to the recipient.

Social Engineering: Social engineering is another technique that hackers are using to increase the effectiveness of phishing emails. They use psychological manipulation to trick individuals into divulging sensitive information. This might include pretending to be a trusted authority figure, such as a bank representative, or creating a sense of urgency by claiming that there is an emergency.

Phishing emails are becoming more sophisticated and convincing, and it is important to be aware of these evolving tactics. Users must be more cautious than ever of emails and messages that appear to come from a trustworthy source and to avoid clicking on links or downloading attachments from unknown sources. Given the frequency and sophistication of phishing attacks, it is more important than ever for organizations to implement strong protections against these attacks. A multi-layered approach, combining technical controls, user education, and organizational policies, is the best defense against phishing.  By being vigilant and taking the necessary precautions, you can help protect yourself from falling victim to phishing attacks.

Thank you for reading! Stay tuned for our next post, where we will dive into the most effective measures for protecting your organization against the evolving sophistication of Phishing threats.

Written by Richard Dial and Michael Brazeau