Phishing and spear phishing are some of the most common tactics used by hackers to steal information from internet users and infect their hardware with malicious programming that could render it useless.
What is phishing? Phishing is the act of sending fake emails to a large number of recipients at random with the expectation that only a small percentage will respond. These emails consist of scams that attempt to trick the recipient into providing confidential information, like account credentials, to the attacker.
Spear phishing emails take this a step further as they are more targeted to the victim in nature. Hackers select an individual target within an organization, using social media and other public information and craft a fake email tailored for that person. This makes the victim more likely to interact with the email as they are tricked into believing it is legitimate.
Where did this all originate? How did phishing scams come to be? They are considered one of the most prominent forms of cyber threats out there today, which correlates with emails being one of the most popular methods of communication, such as in email marketing.
Origins of the Term
Internet records indicate that the first time that the term “phishing” was used and recorded was on January 2, 1996, in a newsgroup called AOHell.
Some of the earliest hackers in the game were dubbed “phreaks.” It’s no surprise, then, that the term phishing grew from the nickname. The use of “ph” in place of the “f” was common in the telecommunication field back in the day. For example, phreaking refers to the exploration, experimentation, and study of telecommunication systems. Phreaks and hackers have always been closely linked. The “ph” spelling in “phishing” was used to link the scams with these underground communities.
But why “phishing”? When you consider the definition of the term, one can see the metaphor clearly. Hackers capture information from users much like capturing a fish that is lured to a hook by a fake bait. In the context of phishing, the spoofy bait is the email.
Where Did Phishing Originate?
In the early 1990s, dial-up was king and American Online (AOL) was your go-to internet provider. During this time, millions of people were interconnected via the world wide web daily — granted, sometimes not at the same time if in the same household.
But not everyone intended to use the internet for good. Hackers and those who traded pirated software also communicated via the internet, forming bonds and schemes. This community became dubbed as the warez community. The warez community eventually made the first moves to conduct phishing attacks.
At first, phishers would steal users’ passwords and used algorithms to create randomized credit card numbers. These random credit card numbers were used to open AOL accounts, which were then used to spam other users and for a wide range of other things. In 1995, AOL finally interfered by creating security measures to prevent the successful use of randomly generated credit card numbers.
Since their random credit card number generating scheme was shut down, phishers decided on an alternative that would wind up enduring. They decided to send messages to users as if they were AOL employees communicating through the AOL instant messenger and email systems.
These messages consisted of requests for users to verify their accounts or to confirm their billing information. This scam tricked many people, especially since nothing like it had ever been done before. The problem intensified when phishers set up AIM accounts through the Internet since they were outside AOL jurisdiction.
AOL’s solution? The internet provider decided it would include warnings on its email and instant messenger clients to keep people from providing sensitive information on those platforms.
How Has Phishing Evolved?
Soon after the AOL schemes died down and e-commerce rose to the forefront of the online space, phishers turned their attention to online payment systems. The first recorded attack was on E-Gold in June 2001, although it was unsuccessful. By late 2003, phishers registered dozens of domains that imitated legitimate sites like eBay and PayPal to those who were not paying enough attention. They then sent out fake emails to PayPayl customers using email worm programs. These led users to spoofed sites, where they were asked to update their credit card details and other identifying information.
Fast forward to the start of 2004, and phishers are riding a huge wave of success that includes attacks on banking sites and their customers. They began to use tactics like popup windows, which were used to capture sensitive information from victims. Since then, many other sophisticated methods have been developed, including:
- Links (change your password, click for discount, etc.)
- Impersonations of someone the recipient knows
- Requests for sensitive data
These days, phishing is alive and well. It continues to be a hot topic of discussion among cybersecurity experts as they work to find better solutions to combat hackers daily.