As widespread as phishing is today, it hasn’t been around forever. Although this tactic originated sometime around the year 1995, these scams were not a commonality for everyday people until nearly ten years later. To avoid falling prey to such frauds, it is helpful to have a basic understanding of the history behind them.
Phishing scams dominate every cybersecurity report published in the past decade. Phishing is a beloved initial attack vector for criminals since they use social engineering tactics to persuade unsuspected people into disclosing personal data such as banking accounts. The IBM 2023 Cost of a Data Breach report indicates that the cost of breaches originating from a phishing scam is much higher than the global average cost of data breaches. And the Verizon 2023 Data Breach Investigations Report says that phishing, along with compromised credentials and vulnerability exploitation, is among the top three ways in which attackers penetrate an organization’s systems. Let us not forget that the human factor is involved in 74% of data breaches and that phishing scams are all about manipulating human biases.
Let’s dive into history and learn about phishing scams!
The 90s – Dance to the sound of the phish!
January 2, 1996, was a historic day; it was the first time that the term “phishing” was recorded. The mention occurred in a Windows application called AOHell. The program had a “phisher” tool, which allowed scammers to automatically use social engineering to steal passwords and credit card information. This program would send instant messages to random AOL users:
“Hi, this is AOL Customer Service. We’re running a security check and need to verify your account. Please enter your username and password to continue.”
Phishers stole passwords and utilized algorithms to generate credit card numbers. Although successful hits were infrequent, they still caused significant harm. The generated credit card numbers were then used to create AOL accounts and send spam to other users. However, AOL ended this practice in 1995 by implementing security measures to prevent the use of randomly generated credit card numbers.
The Noughties – Take me to the edge of phish!
Phishing, in many ways, has remained unchanged since its AOL heyday. However, in 2001, phishers shifted their focus toward online payment systems. The first attack on E-Gold in June 2001 was unsuccessful, but it did set the stage for future attacks. By late 2003, phishers had registered several domains that appeared to be legitimate, impersonating sites like eBay and PayPal. They used email programs to send spoofed emails to PayPal customers, leading them to fake sites where they were asked to update their credit card information and other identity verification details.
In early 2004, phishers experienced a surge in success with their attacks on banking sites and their clients. They used popup windows to obtain sensitive information from their victims. From May 2004 to May 2005, around 1.2 million users in the U.S. suffered losses, amounting to roughly $929 million due to phishing. Organizations also lose an estimated $2 billion annually because of this type of fraudulent activity.
Phishing is officially recognized as a credible threat. The launch of Bitcoin and other cryptocurrencies in 2008 was a game changer for criminals who can now hide their illegal transactions from the eyes of law enforcement.
The 10s and beyond – Phishing falls in love with Ransomware
In 2013, Cryptolocker ransomware spread to 250,000 personal computers. It was the first malware of its kind and was delivered to victims through two phishing emails. The first email contained a Zip archive attachment that pretended to be a customer complaint and targeted businesses. The second email had a malicious link with a message about a check-clearing issue and targeted the general public. Once the victim clicked on the attachment, Cryptolocker encrypted all the files on their computer and demanded payment in exchange for the decryption key to unlock the files.
Since 2017, phishers have been increasingly using HTTPS on their sites. The green padlock becomes a vulnerability, giving consumers a false sense of security. While it does indicate that the traffic between the server and the user’s browser is encrypted and protected against interception, it doesn’t necessarily mean that the site is legitimate.
More recently, there has been a phishing campaign that targeted organizations affiliated with the 2018 Winter Olympics. This campaign was unique because it utilized a PowerShell that enabled attackers to conceal harmful scripts within seemingly harmless image files. These scripts were then executed from memory, which is a fileless technique that is often undetected by traditional antivirus software. By hiding the script in an image file and executing it directly from memory, the attackers were able to avoid detection more easily.
In the same year, researchers discovered a readily available phishing kit on the Dark Web that enabled criminals to easily craft convincing emails and redirect victims to sites that closely mimic branding elements of well-known firms. The phishing campaigns collected the personal and financial information of unsuspecting targets.
In 2019, a new type of attack, vendor email compromise, surfaced. This attack falls under the category of business email compromise (BEC) attacks. Essentially, cybercriminals hack into email accounts belonging to smaller companies within a larger enterprise’s supply chain. They then use these accounts to target the bigger company’s customers. The goal is to deceive customers into paying fake invoices. These attacks are mainly targeted toward organizations with global supply chains.
In the past decade, phishing emails have been the most common form of online scams. However, in 2020, there has been a significant increase in scams conducted through phone calls (vishing) and text messages (smishing). Furthermore, phishing emails related to the Covid-19 pandemic have become rampant, with popular themes such as fake CDC warnings, Netflix scams, fines for leaving quarantine, and more. These types of attacks have affected every country in the world.
The rise of generative AI tools in late 2022, early 2023 becomes one more pain for companies and citizens. Scammers can craft highly convincing phishing emails without any syntactical or grammar mistakes to trick even the most concerned and aware people.
How to protect against phishing
Even after almost thirty years of facing phishing attacks, many employees remain susceptible to this type of cybercrime. While cybersecurity experts are constantly searching for ways to counter scammers, malicious actors are also developing more innovative tactics to deceive users. Nevertheless, there are still methods to identify and stop phishing attacks, even when their approach varies. The most effective prevention measures are:
- Raising awareness through phishing simulations and dedicated awareness training programs to enable people to spot and report such scams.
- Deploying software such as advanced email security, data loss prevention, and sophisticated antivirus and endpoint protection to detect and block phishing emails, stop malicious attachments contained in email bodies and protect sensitive data from being compromised.
- Strengthen password logins with the use of password managers, or, even better, opt for passwordless authentication solutions.
- Enable multi-factor authentication everywhere possible to protect accounts even when the password is compromised.
The combination of solutions that address the people, process, and technology elements of cybersecurity is the best way of addressing the phishing problem.