Phishing is a social engineering technique that manipulates victims into giving up personal information like names, passwords and credit card details by appearing to be from a trustworthy entity.
The term “phishing” was first recorded and used in 1996. It was used in a Usenet newsgroup called AOHell. AOL was the top internet service provider at the time with millions of visitors logging in each day. Because it was so popular, cybercriminals started sending messages to AOL users while masquerading as AOL employees.
As phishing wasn’t a technique that was widely known back then, many people willingly handed over their personal information to these scammers.
Fast forward to the 2000s, phishers have shifted their focus to exploiting online payment systems. The first attack was on E-Gold which took place in June 2001. Although the attempt was said to have not been successful, this opened up a range of new possibilities for phishers. It wasn’t long before phishers expanded their attack vectors by registering dozens of domains resembling eBay and PayPal. Spoofed emails containing fake links that required victims to update and verify their accounts were then sent out to eBay and PayPal customers.
The first known phishing attack against a bank was reported by The Banker, which happened in September 2003.
Today, methods of phishing have only become more variegated as fraudsters continue to come up with new ways to inspire confidence, avoid detection and wreak havoc. The stakes have never been higher.
The rewards the criminals could reap coupled with the minimal effort and resources required to execute the attack, have made phishing the weapon of choice for cybercriminals to access and steal sensitive information from notable individuals or large enterprises.
Phishing scams have become increasingly more sophisticated and difficult to identify over the years. Despite varying greatly in scope and approach, most phishing attacks share a common characteristic – their intention to trick users to acquire valuable data. Some major categories include:
Whereas a typical phishing scam does not discriminate its targets, spear phishing is much more targeted where the hacker has a certain individual in mind that he wishes to compromise in order to extract specific, valuable information. These attacks are often more personalized and have a higher success rate, but they do require significant research and planning on the part of the criminal, so they are less common.
Smishing is a variant of phishing which uses text messages to trick users into calling back a fraudulent number or downloading malicious content that steals your confidential data.
Phone phishing scams are often harder to identify because they takes advantage of users by tricking them into revealing confidential information via a phone call.
This form of phishing targets the “big fish” of an organization, often with emails that resemble a formal correspondence from a trusted source in order to initiate financial transaction or gain valuable information.
Clone phishing works by creating a nearly identical version of an email which targets have previously received and substituting valid links and attachments with malicious ones. These emails often claim that the current email is an updated version of the previous one.
While many phishing emails have easy-to-spot mistakes such as bad grammar and spelling, there are phishing emails that are so well-constructed that even the most astute individuals have a hard time telling them apart.