If you ask three people what phishing is, you’ll likely get three very different answers. To understand what phishing is, you have to look at the past. Discover how phishing evolved into the three types of phishing scams being carried out today.
If you write “What is phishing?” on a whiteboard during a meeting and ask the attendees to write their answers on a slip of paper, you might get answers like:
- “Phishing is a type of cyberattack.”
- “It’s a way hackers try to steal your money.”
- “Phishing refers to email scams in which hackers pretend to be someone else in order to trick you into revealing your password.”
- “It’s when Rachel from Cardholder Services calls you, trying to get you to cough up your credit card numbers.”
- “Phishing is a phun phamily activity in which you catch phish and then throw them back in the water.”
Except for the last response, all of these answers are correct albeit incomplete.
What Phishing Is
Phishing is a form of fraud in which a malicious actor (aka a hacker or cybercriminal):
- Masquerades as a reputable person or a legitimate organization.
- Uses psychological manipulation to get victims to perform certain actions such as divulging sensitive information. In other words, the hackers use social engineering to get what they want.
Its roots have been traced back to the days when America Online (AOL) was popular. In 1995, a group of hackers came up with a scheme to steal money from AOL users. Posing as AOL employees, they sent messages to numerous users through the service’s email and instant messaging systems. The messages asked users to either verify their account details or confirm their billing information. “More often than not, people fell for the ruse,” according to phishing historians. “After all, nothing like it had ever been done before.”
In 1996, people began using the term “phishing” to describe this type of attack because the hackers tried to lure AOL users into taking the bait, much like fishing enthusiasts try to lure fish into eating the bait on their hooks. And the use of “ph” instead of “f” was no accident, according to phishing historians. Some of the earliest hackers were called phreaks, so this spelling linked the phishing scams with this underground community.
Changing with the Times
As time went by, people became more aware of phishing scams and didn’t take the bait as often. This prompted hackers to begin devising new ways to hook victims. They started using spoofed websites and pop-up windows to trick people into providing personal and financial information. Cybercriminals began targeting businesses, which required them to create more personalized phishing messages. And hackers started infecting victims’ devices with malware by attaching weaponized files to phishing emails. Cybercriminals even started calling potential victims. Auto dialers and other technologies make it an easy and inexpensive way for cybercriminals to send phishing phone messages to the masses.
Another change seen over the years concerns the phishing scam’s role. Originally, hackers used phishing scams for standalone attacks. For example, the hackers used a phishing email to get victims to divulge their bank account login credentials, which the hackers used to steal money from those accounts. While cybercriminals are still carrying out standalone phishing attacks nowadays, they are also using phishing scams as part of larger attacks. For instance, cybercriminals can use a phishing scam as part of a data breach. The hackers first use a phishing email to get company employees to reveal their credentials for an app, then use the compromised credentials to access it. By exploiting a vulnerability in the app, the hackers are able to infiltrate the company’s network and steal proprietary data.
The Types of Phishing
Due to the various adaptations that hackers have made, there are now three main types of phishing:
- Classic phishing. In classic phishing attacks, hackers use many of the techniques used in the AOL phishing attacks. In these classic attacks, cybercriminals typically send phishing emails to the masses so people might get them in their personal email accounts or business email accounts. Because the same message is going to numerous people, the message is not personalized.
- Spear phishing. Like classic phishing attacks, spear phishing scams are typically carried out through emails. However, hackers send significantly fewer emails because spear phishing scams take a more personalized approach. Instead of sending a generic email to the masses, the cybercriminals target specific individuals and personalize the emails sent to them. The emails typically include the target’s name and present the call for action (i.e., the action they want the person to take) in a context that makes sense to the recipient. Because these scams take more time and effort to carry out, companies are typically targeted.
- A whaling attack is basically a spear phishing scam, except the target is a high-level official such as a company’s chief executive officer (CEO) or chief financial officer (CFO). In these scams, cybercriminals often try to trick the target into authorizing high-value wire transfers. Because the stakes are high, advanced technologies (e.g., deepfakes) and sophisticated techniques (e.g., setting up bank accounts and websites for fake companies) are used.
Don’t Be Scammed
Hackers have been phishing for more than 25 years, so they are very good at it. Thus, you need a solid defense against this threat. We can help you develop and implement a comprehensive plan to protect your business against phishing, spear phishing, and whaling attacks.
Phishing warning flickr photo by Christiaan Colen shared under a Creative Commons (BY-SA) license