The history of phishing has made these email-borne attacks one of the most serious cyber security threats of our time—and one of the hardest to combat with technology. Education and user vigilance continue to be an organization's best defenses.
Phishing is the practice of sending fraudulent emails, usually purporting to be from a friend or a well-known business, with the intent of duping recipients into giving up sensitive information, such as passwords or credit card numbers. In 2020, phishing was responsible for more than 80% of reported security incidents. It's one of the most common vectors for ransomware, which encrypts data and renders computers useless. An analysis of more than 55 million emails by cloud security provider Avanan found that one email in 99 contains a phishing attack. The 2020 Verizon Data Breach Investigations Report found that 22% of all data breaches involved phishing, and dark web monitoring firm ID Agent estimates that phishing attacks have increased more than 600% since the start of the COVID-19 pandemic.
The first phish
It's thought that the first phishing attacks happened in the mid-1990s, when a group of hackers posed as employees of AOL and used instant messaging and email to steal users' passwords and hijack their accounts. In the early 2000s, attackers turned their attention to financial systems, first launching attacks on the digital currency site E-Gold in 2001. By 2003, phishers started registering domain names that were slight variations on legitimate commerce sites, such eBay and PayPal, and sending mass mailings asking customers to visit the sites, enter their passwords and update their credit card information.
A growing threat
As social networks proliferated, phishing attacks started harvesting personal data to customize messages to better fool recipients. This gave rise to the spear phishing variant, in which attackers research their targets to personalize their messages and enhance their chances of success, and the whaling variant, in which highly customized attacks target executives or wealthy individuals to steal sensitive information or convince them to wire large sums of money.
As time went on, phishers got savvier. They developed techniques to disguise their real email addresses and even developed a way to hijack email threads and impersonate trusted sources. They expanded their attack vectors to include social networks, instant messaging apps and SMS text messages, which are exceedingly challenging to monitor or filter. They spoofed approval emails that direct marks to fraudulent DocuSign sites to authorize wire transfers.
The history of phishing has even expanded to voice; phishers can now use voicemail messages or over-the-phone impersonations to fool potential victims into thinking that a phishing attack is legitimate. The phisher's varied toolkit is their biggest asset—too many people are unaware of how many ways they could be targeted.
Phishing emails soon became the primary delivery mechanism for ransomware, which hijacks a victim's data or systems and extorts money for their return. The Cryptolocker attack of 2013 was the first widely reported instance of ransomware, and the phenomenon came to a head with WannaCry, which started infecting computers worldwide in 2017 and continues to ravage businesses today. According to the MIT Technology Review, ransomware attacks netted $7.5 billion in the US alone in 2019.
The earliest ransomware emails usually contained an attachment that appeared to be a familiar file type, like a PDF file or a Word document. In reality, they were masked executable files (“.exe”) that unleashed malware that searched the user's local and cloud storage for files to encrypt. Modern variants can replicate across networks and automatically forward malicious emails to contacts in a victim's address book. And ransomware authors can now launch attacks from a single click on a website—and phishing attacks are still almost always the bait. Over the past two years, phishing-based ransomware attacks have increasingly targeted hospitals, municipal governments and utilities, increasing their leverage by threatening widespread disruption.