top of page
Search

The Origins and Evolution of Phishing Attacks

Article written by: Rishi Ramachandran

Article designed by: Rishi Ramachandran & Sanvi Desai


You probably receive a couple of suspicious emails each week, if not each day, and you end up deleting them without even a thought. But what if one of those emails was not merely annoying spam, but a cleverly crafted ploy to steal your identity or the secrets of your business? That is the work of phishing, which has evolved into a smarter and more sinister threat over the years.


Image from Malwarebytes


The first recorded phishing attack was in 1996, where a team of hackers claimed to be employees at American Online and used instant messaging and email to steal user's passwords and access their account. This attack, now referred to as "phishing", heavily relied on social engineering—a method that exploited human weaknesses as opposed to technical vulnerabilities. Victims were sent messages that seemed legitimate, often stating that there was an issue with their account that must be addressed as soon as possible. Many users responded with sensitive information, granting attackers full control over their AOL accounts. While the method was effective in the past, by modern standards it was a bit crude and unrefined.


As innocent-looking as it was, this early phishing campaign set the stage for what would ultimately be one of the most widespread and destructive cyber attacks of the age of the internet. The trajectory of phishing was forever altered on May 4, 2000, when the world fell victim to the infamous Love Bug virus. Originating from Cebu, Philippines, this attack flooded inboxes across the globe with a note subjectlined "ILOVEYOU." The email body contained a simple message "Kindly check the attached LOVELETTER coming from me." Hope or curiosity getting the better of them, the majority of users opened what appeared to be a harmless text file attachment, releasing a destructive worm onto their computers. Activated, the Love Bug worm wreaked havoc by overwriting image files and then replicating itself by sending copies to all contacts in the victim's Outlook address book. This attack demonstrated how malware successfully used spam to propagate itself using a psychological incentive combined with technical weakness. An estimated 45 million Windows-based computers were infected worldwide, causing widespread disruption.


Image from Seasia


Since the years that followed, phishing has grown exponentially in sophistication and scale. It now accounts for more than 91% of all cyberattacks worldwide, impacting individuals and organizations in every sector. One of the main reasons why phishing is becoming so much more effective is because of the advent of social media. A decade ago, there was a lot less professional and personal information available online. Now, there are sites like LinkedIn, Facebook, and Twitter that hold a vast quantity of information that criminals can leverage to launch highly targeted attacks.


Attackers use various tactics, such as spear phishing, which is a technique focusing attacks on specific individuals or organizations, and business email compromise (BEC), where cybercriminals pretend to be company bosses, in an effort to deceive employees into making money transfers or divulging sensitive information. Beyond email, phishing has spread into other channels such as text messages (smishing), phone calls (vishing), social networking websites, and even fake websites that are designed to look very similar to authentic websites.


Although it is impossible to say what phishing will look like in the future, one thing is for sure—attackers will keep capitalizing on human trust to gain entry around defenses. Being aware, alert, and ready to act is our best hope to defend ourselves and the institutions on which we depend.



Works Cited




  • Grimes, Roger A. Phishing Attacks: Defending Against Online Deception. Wiley, 2019.





 
 
 

Comments

bottom of page