The Evolution of Phishing: A Brief History

Phishing is a timeless crime, and won’t be abandoned by cybercriminals anytime soon! Hackers have been exploiting this social engineering tactic since the dawn of the World Wide Web to extract valuable information and treasure. Despite improved general awareness regarding social engineering and phishing attacks, these tactics don’t show any signs of slowing down and continue to persist as severe threats.

What is phishing?

This may be a bit of a controversial statement but, to execute a phishing campaign, all it takes is malicious intent and a means of communication. Malicious actors have exploited everything from news, rumors, letters, phone calls, messages, emails, and social media in their phishing techniques. One can find similar references in news bites from the 1990s through today, indicating that this is one cybercrime that’s here to stay!

 

What do we know about phishing? Despite the ocean of definitions and technicalities, it is still pretty simple – it refers to any form of communication that spreads misinformation or deceives the victim into engaging with cybercriminal activities, leading to financial loss for the victim. The focus here is ‘any form of communication’. Does it mean human interaction? Yes! SMS? Yes! Posters on the wall? Also yes! As far as human communication can reach, there’s an opportunity for cybercriminals to exploit and convert their target audience into victims. 


Where did the term “phishing” come from? The term was first coined in 1996 in AOHell, a malicious program written to target America Online (AOL) customers, also considered to be the first digital phishing attack (more on this later). Back then, this term was analogous to traditional fishing. The only difference was an attacker laying out digital “bait” for victims to “catch” their sensitive information or money.

Analog scams

Prior to the invention of the Internet (never mind the telephone), physical location played a much more prominent role in how scams could be executed. Most communication relied on word of mouth or handwritten letters that required messengers and postal workers to convey the message. Information traveled slowly. 

 

Could we still label an intentionally misleading message “social engineering” or “phishing” if the communication isn’t digital? Absolutely. Throughout human existence there have been malicious actors who gained by spreading false news in the community– effectively “phishing” the victims for various motives relevant to their time and place. No doubt such acts caused all kinds of chaos throughout the course of history. 

 

In fact, there are even stories of famous scams such as the “Spanish Prisoner” scam that originated in the late 1800s that involved a story about a wealthy “relative” stuck in a Spanish prison. In scams such as this one, a person, claiming to need financial help due to a heinous circumstance, would reach out to wealthy members of society for financial assistance. Of course, the whole thing was made up. Sound familiar? It should, because these same types of stories (looking at you, “Nigerian Prince”) are still in use today to carry out phishing attacks.

Introduction of the telephone

With the advent of the telephone, people could communicate instantly to talk to each other rather than relying on in-person visits, writing letters and other time-consuming activities. Now the world was interconnected by a system in which a number was associated with an individual and that person could be contacted promptly.

However, cybercriminals also adapted to this invention, which also saved them the trouble of having to be physically present to carry out fraudulent activities. Without physical presence to validate the caller, the person receiving the call could be duped into thinking the person on the other line is calling for legitimate reasons. While the term “Voice Phishing” or “Vishing” (phishing attacks using the telephone) came later, the tactic has been in use since as early as the 1920s (with the growth of “telemarketing”) and then moved to mobile phones in the 1980s (as soon as mobile technology began to become available) to defraud the public. 


This also gave rise to a variety of tactics involving alleged pending bills, courier related invoices, urgent payments, and impersonations of financial representatives to gather personally identifiable information (PII) of victims. One famous example of vishing was in the 1980s when Kevin Mitnick attempted to gather passwords and access codes leading to infiltration of computer systems by using telephones.

The Internet emerges and advances

The emergence of the Internet was when the trouble for organizations intensified. Hackers would now use the World Wide Web to register and host websites, communicating with anyone, overcoming geographical barriers. 

 

The term “phishing” was coined due to the infamous AOL hack, which featured a DLL function to steal users’ credit card numbers. This included using an instant messaging service to target random AOL users with a “security verification” message. In 1995, the hackers deployed different spamming techniques such as “bombing” (same content being mass-spammed to multiple recipients) relayed via instant messages and emails with the sole purpose of annoying AOL users. 

 

In the early 2000s, many phishing attacks used a common tactic of sending a malware embedded email to capture victim credentials through keyloggers. These malicious attempts managed to spread rapidly, affecting tens of millions of devices. This highlighted an urgent need for cybersecurity measures in organizations to secure customers and employees, particularly from phishing.

From the 2000s to the 2010s, phishing attacks evolved, most noticeably in the full-fledged abuse of Domain Name System (DNS) and typosquatting. New categories of phishing attacks emerged, such as “vishing,” “smishing,” “quishing,” “spear phishing,” “whaling,” “business email compromise,” and “DNS hijacking” (see our phishing glossary of terms at the end of the article). These categories delved deeper into different tactics deployed by cybercriminals and hinted of the potential to advance in the future. 

During this period, cybercriminals would host fake websites embedded with keyloggers and primarily target financial and retail industries, based on a report by APWG. This trend expanded to other industries, indicating an advanced era where integration of artificial intelligence (AI) would cause trouble for most cyber resilient infrastructures. Additionally, the AI enabled phishing kits accelerated the speed and scalability of phishing attempts.

The Internet today

This brings us to today, in which artificially intelligent (AI) systems have become ubiquitous in everyday life, cybercriminals exploit these technologies to create believable and undetectable phishing kits. Additionally, bots automate the mundane, repeatable tasks for the attacker, while they leverage on new techniques of malvertising and spamming to spread malicious campaigns. 

 

With the rise of Phishing-as-a-Service (PhaaS) products sold on dark web marketplaces, it is now possible for any unsophisticated criminal to win quick financial gains using these easily-available resources. Additionally, the marketplace also opened opportunities for the trade of data such as payment card details, personally identifiable information (PII), and “Know Your Customer” (KYC) scan uploads. This fuels criminal campaigns and motivates malicious actors to drive more traffic towards their phishing traps. 

 

Since 2020, the world has become increasingly reliant on technology for its day-to-day activities, and industries such as software-as-a-service (SaaS), fintech, payment providers, social media, e-commerce, logistics, telecom, all saw huge phishing campaigns targeted them, according to Anti-Phishing Working Group (APWG).  

Phishing in 2024

Free and “low-code” platforms pose a challenge to all industries that defend against phishing since their quick setup and even faster evidence deletion capabilities help criminal attackers remain anonymous and evade detection. A recent example involved phishing attacks targeting an Indian bank where heavy use of AI was evident. The attackers created messages that were strikingly similar to ones commonly used in internal communications, making them difficult to detect. Additionally, a 2023 report by The Hindu highlights that nearly 49% of people in India struggled to differentiate between a legitimate email and a phishing attempt. These vectors are very convincing! 

 

APWG also highlights the recent decline in phishing and cyberattacks for the banking sector, which was displaced by social media as the most impacted industry. However, this shift is largely due to the rise of diversified payment systems that stretch well beyond traditional banking. When combined, finance (both regulated and unregulated peer-to-peer systems) and payment providers now ranks as the third most impacted industry. 

 

The rise in social media attacks also point to the surging trend of deep fake generation. Given the current geopolitical climate, deep fakes have the potential to reach millions of people, rapidly impacting certain groups with misleading content that can be difficult (or almost impossible) to distinguish from authentic content. 

What changed in all these years of phishing…and what didn’t?

Phishing, as demonstrated in our timeline, has always been around in one form or another. However, phishing and the criminals who leverage these methods will continue to adapt along with new developments in tech. Internet use has become ubiquitous, even in authoritarian states and developing countries, unlike the early 1990s, when only a negligible percentage of the global population was online.

 

Today, popular social media platforms host half the world’s population on their platforms, providing cybercriminals with a vast playground to conduct phishing attacks and amplify the potential impacts of every campaign. 

 

Based on our knowledge of the history of phishing, we have already seen how the adoption of new technologies and techniques, such as AI, can impact cyber defenses. But at the same time, some of these same technologies are a double-edged sword, since cybercriminals can leverage this power, as well. In fact, these advancements highlight how cybercriminals are often a step ahead, the first to discover and use new loopholes and tactics with the help of new tools and technologies.

 

Cybercriminals have developed means of evading detection and staying anonymous by using aliases and fake personas that can be discarded after every campaign. They have also created groups that operate much like any other crime syndicate: individuals that work both independently and as parts of groups. These groups operate remotely and have expanded their networks on the surface and the dark web.

 

With the help of AI, phishing, including attacks and kit generation, are reaching new horizons in terms of scalability and sophistication. This trend shows no signs of slowing down. On the contrary, it continues to expand along with technology – as it always has!

 

While the methods have evolved, the malicious intent of cybercriminals to communicate with potential victims to unlawfully gain something (a.k.a., phishing) has remained constant. Humans still remain the primary exploitation vector and even today, phishing relies on targeting the trust and persuadable nature of humans.

Reducing phishing attacks in the future

Organizations have to be one step ahead of potential attackers and adopt technologies to combat state-of-the-art phishing techniques. Cutting-edge predictive security solutions can assist analysts in making informed decisions regarding phishing threats so as to deter cybercriminals by preemptively disrupting their activities at scale. Additionally, focusing on continuous threat monitoring solutions that provide insights on newly registered websites even before they ever go live is another approach. 

 

In our era, when people are heavily internet and social media dependent, phishing websites can impact a diverse range of victims. Given the trend of short-lived malicious domains, it is essential to implement timely actions to detect and mitigate adversarial infrastructure even before they are launched.

Glossary

There were a lot of phishing terms in this article. Here’s what they mean:

  • Phishing: The act of deceiving victims by posing as legitimate entities to gain their sensitive information. 
  • Spear Phishing: Targeted and tailored phishing kits for an individual, group, or an organization. 
  • Whaling: Phishing attacks that target executives and C-suite titles in a company. 
  • Vishing: Voice-based phishing where the attack is conducted via telephone. 
  • Smishing: A phishing technique where the malicious message is sent over SMS.
  • Quishing: An emerging technique in which QR codes facilitate the phishing attack. 
  • Business email compromise: Employee accounts are either spoofed or hacked to conduct phishing attacks within the organization or to third parties (like vendors). 
  • DNS hijacking: A phishing attack targeting high profile entities with vulnerable DNS configurations to redirect the victims to their phishing page.