Most IT security experts agree that “man” is the biggest vulnerability of any computer system whatsoever. Cybercriminals have well understood it, the development of phishing attacks illustrates this. The phenomenon is booming. According to recent studies*, the volume of phishing attacks increased by 6% between 2011 and 2012 for an estimated amount of fraud in 2012 of over 1, 5 billion USD (22% more than 2011).
A basic phishing attack attempts to trick a user into entering personal details or other confidential information, and email is the most common method of performing these attacks. The sheer number of emails sent every single day means that it's an obvious attack vector for cyber criminals. It's estimated that 3.7 billion people send around 269 billion emails every single day. Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day. Most people simply don't have the time to carefully analyse every message which lands in their inbox - and it's this which phishers look to exploit in a number of ways. Scams vary in their targets - some are aiming at unwary consumers. Here, their email subject line will be designed to catch the victim's eye - common phishing campaign techniques include offers of prizes won in fake competitions such as lotteries or contests by retailers offering a 'winning voucher'. In this example, in order to 'win' the prize, the victims are asked to enter their details such as name, date of birth, address and bank details in order to claim. Obviously, there's no prize and all they've done is put their personal details into the hands of hackers Similar techniques are used in other scams in which attackers claim to be from banks looking to verify details, online shops attempting to verify non-existent purchases or sometimes -- even more cheekily -- attackers will claim to be from tech security companies and that they need access to information in order to keep their customers safe. Other scams, usually more sophisticated, aim at business users. Here attackers might also pose as someone from within the same organisation or one of its suppliers and will ask you to download an attachment which they claim contains information about a contract or deal. In many cases the file will unleash malicious software onto the system - in many cases it will harvest personal data, but it in many cases it's also used to deploy ransomware or rope systems into a botnet. Attackers will often use high-profile events as a lure in order to reach their end goals. For example, a major campaign used the lure of the 2016 Olympic Games to help distribute malware in the run up to the event. In many cases the malicious payload will be hidden inside a Microsoft Office document which requires the user to enable macros to run. The payload will trick the victim into enabling them by claiming that an update needs to be installed or permissions need to be given to allow the document to be viewed properly. But if users allows the payload to run they and their company are likely to be in big trouble.
The overall term for these scams -- phishing -- is a modified version of 'fishing' except in this instance the fisherman is the cyber attacker and they're trying to catch you and reel you in with their sneaky email lure. It's also likely a reference to hacker history: some of the earliest hackers were known as 'phreaks' or 'phreakers'.
The consensus is the first example of the word phishing occurred in the mid-1990s with the use of software tools like AOHell which attempted to steal AOL user names and passwords. These early attacks were successful because it was a new type of attack, something users hadn't seen before. AOL provided warnings to users about the risks, but phishing remained successful and it's still here over 20 years on. In many ways, it has remained very much the same for one simple reason - because it works.
While the fundamental concept of phishing hasn't changed much, there have been tweaks and experimentations across two decades as technology and how we access the internet has changed. Following the initial AOL attacks, email became the most appealing attack vector for phishing scams as home internet use took off and a personal email address started to become more common. Many early phishing scams came with tell-tale signs that they were not legitimate - including strange spelling, weird formatting, low-res images and messages which often didn't make complete sense. Nonetheless, in the early days of the internet, people knew even less about potential threats which meant that these attacks still found success - many of these are still effective. Some phishing campaigns remain really, really obvious to spot - like the prince who wants to leave his fortune to you, his one long lost relative, but others have become to be so advanced that it's virtually impossible to tell them apart from authentic messages. Some might even look like they come from your friends, family, colleagues or even your boss.