Phishing scams turn 20 years old: A (brief) history and current trends

You’ve been warned to avoid phishing attacks since the moment you opened an email account, and for good reason. But how long has phishing actually been around? And how did it come to be?

Designed to mimic credible communications – primarily via email – phishing has actually only been around for a few decades.

It was in the mid-nineties that “phishing” first began to be called by that name. It’s a smart hack, really. Obviously, the meaning of fishing makes sense, since all phishing attacks are fishing for information – but what about the “ph”? The “ph” is actually derived from the term phreaks, which was language that described the earliest hackers.

You may be surprised to learn that phishing originated in 1995 – even though the greater public didn’t become familiar with it until nearly 10 years later. The first mention of phishing occurred in January 1996, in an America Online chat room. Think back to the nineties and that will make sense; AOL was a prime target for early cyber security scams because the company provided Internet access to millions of users, many of whom would prove to be unsuspecting targets.

What’s ironic is that many of the hackers also used AOL to connect. They would create randomly generated credit card numbers and attempt to open AOL accounts with them. Then, they would send messages to users that appeared to come from AOL employees.

September 11 identity checks

Following the September 11 terrorist attacks, phishers capitalized on the tragedy to conduct fake identity checks, trying to steal data from the E-Gold digital currency service. While the attack failed, this brought heightened attention/publicity to phishing, prompting new criminals to get in on the phishing trend.

By 2004, phishing had become a more frequent cyber-security issue, with an estimated $929 million lost between May 2004 and May 2005.

The state of phishing today

Phishing, unfortunately, continues to be a growing problem. In the second half of 2014, there were 123,972 unique phishing attacks worldwide against specific websites; the same number as in the first half of 2014 and the most tracked since 2009. 

“The largest trend I’ve seen is the trend towards intimacy and the sense the attacker gives you that he’s a friend or a colleague,” says Peter Cassidy, the secretary general of the Anti-Phishing Working Group (APWG). “Think about what people express publicly now vs. 15 years ago. It used to be very difficult to find information on people outside of their house.

“Now, people put so much information online and the bad guys can create semi-custom approaches and create these fantastically precise narratives. Ordinary people think they’re talking to a friend and instead it’s a script.”

This relationship background work is created for that one moment when phishers attempt to get you to click on a link. To hear Cassidy explain various scenarios, it does sound frighteningly easy – dirty links can be sent posed as new baby photos or a link to a colleague’s PowerPoint presentation or anything in between.

Additional prevalent phishing techniques are included below. The full list can be found on the website phishing.org.

• Email with a Spam Link: The goal of spam links is to send users to a fake site that look just like a trusted website. Phishers would then convince the target to enter their legitimate user login credentials to steal them. 
• Vishing: Did you know that phishing moved off the web? Starting in April 2006, phishers used voice over technology to imitate caller IDs – and by doing so exploited unsuspecting consumers. Automated messages claiming to be from verified banks led customers to disclose their account details. These types of nefarious security attacks are called 'vishing', a combo of 'voice' and 'phishing'.
• Whaling: Whaling is a type of targeted cyber security attack, developed more recently. It’s directed towards C-Suite and executives who have greater company access – where a single cracked account can be a jackpot for phishers; hence, the ‘whale’ reference. 
• Phishing through search engines: This type of phishing occurs when you use a search engine to shop for specific products. Typically, this only occurs when you arrive at a spammy website with clearly underpriced merchandise. When you enter your credit card info, it’s not going to the alleged merchant, but to phishers. 
• Social Media: Phishers look to grow their relationship with you over time, frequently pretending to be someone you know. They create customized messages, all geared to grow your trust. Once they’ve achieved this fake closeness, they send a link and, if you click on it, they pretty much own your computer. 

The fight against Phishing

Multiple organizations have been formed to combat and track phishing attempts, but few have been as influential as Cassidy’s organization, the APWG. The APWG was created in 2003 and is a global coalition of industry and law enforcement professionals working to prevent cyber security crimes. You can download their 2014 second-half phishing report for more information. 

The U.S. government is also working to fight phishing and other cybersecurity threats. According to internet security watchdog IID, the White House allocated $14 billion toward cybersecurity spending in the 2016 federal budget, a 10 percent increase over the current fiscal year. 

Meanwhile, at Alliant, our Information Security and Fraud teams have developed a swift and efficient process, upon learning of any phishing attempt. Once Alliant is notified of any fraudulent phone number or website that’s mimicking us, we have processes in place to ensure they’re shut down immediately, working with authorities as necessary.

What you can do personally to stay safe from phishing

Unfortunately, phishers aren’t only interested in personal bank accounts anymore – they’ve grown their ambitions. They’re now also interested in big, medium and even small-sized companies.

Cassidy said that one of the smallest attacks he’s seen was an attack on a chamber of commerce in Kentucky, after an employee inadvertently gave access. The phishers got away with over $300,000.

“What you can do to protect yourself is slow down,” says Cassidy, “even if you think you know the correspondent intimately. The email you should most be cautious of is the “emergency email” from a spouse with a link. The bad guys use the trust we have in one another and how we support one another against us. They use what makes us successful against us. It really cuts to the heart of who we as human beings are.”

Other tricks you should watch out for include:

• Unofficial "From" email addresses. Look out for a sender's email address that is similar to, but not the same as, a company's official email address.
• Urgent action required. In addition to the spouse trick, fraudsters often include urgent "calls to action" to try to get you to react immediately. Be wary of emails containing phrases like "your account will be closed," "your account has been compromised," or "urgent action required."
• Generic greeting. Cyber security thieve often send thousands of phishing emails at one time. They may have your email address, but they seldom have your name. Be skeptical of an email sent with a generic greeting such as "Dear Customer" or "Dear Member."

To read more tips on staying safe from phishing, read our previous blog article on how to avoid email phishing scams.

And remember, if something smells fishy – it probably is.
 

Sources: InternetIdentity.com, APWG, Anti-Phishing Society, Washington Post