Phishing

Phishing is a type of social engineering attack in which an attacker, known as a phisher, attempts to deceive a victim into exposing sensitive information or downloading malware. Phishing attacks usually involve the phisher posing as a trusted contact of the victim, as well as the creation of an urgent scenario that draws the immediate attention of the victim in order to get a response. The success of a phishing attack relies on the phisher's pressure tactics and human error from the victim.

AOHell's homepage.

The term phishing serves as an analogy to fishing––phishing is the act of "fishing” for sensitive information from a “sea” of internet users. The use of "ph" in the word refers to the activity of phreaking, which is the fraudulent use of telecommunication systems. Those who participate in phreaking are called phreaks. The spelling of phishing was adapted to attribute the attacks to the underground community of phreaks, who were the first to perpetrate such attacks. The attacks can more specifically be attributed to the warez scene, a community of software hackers and pirates who congregated on AOL. The first recorded use of the term phishing was in January 1996 by spammer Khan C. Smith in a Usenet newsgroup regarding the topic of AOHell. AOHell was a Windows add-on program for AOL that provided various features, most of which were ways to "annoy others" and steal account information in order to provide phishers with free access to AOL. AOHell was developed in 1994 by a teenager from Pennsylvania named Koceilah Rekouche, better known by his screen name Da Chronic.

The first phishing attacks can be traced back to the 1990s during the rise of the digital age. In order to obtain free internet access, phishers would buy AOL floppy disks, which provided thirty-day free trials of internet service. At the end of the trial period, they would change their screen names to appear as AOL administrators and message other users for their account credentials. This allowed them to continue accessing the internet for free. Tools like AOHell were used to simplify this process. AOL eventually caught on to the practice and began to post warnings about the scam on its email and instant messenger clients. As internet use grew more popular, phishers began disguising themselves as administrators from internet service providers (ISPs) and would email accounts of various ISP customers to gain their login credentials.

In the early 2000s, phishers began attacking financial systems. The first major phishing attack was on the digital currency site E-gold in 2001. Users were sent emails that claimed E-gold was going out of business. The emails contained clone websites for E-gold that would reveal the user's login credentials to a phisher. The attack was ultimately considered unsuccessful. By 2003, phishers began registering domain names with slight variations of the spelling of legitimate websites like eBay and PayPal. Then they would send out mass mailings to customers, asking them to login to the fake websites and update their credit card information.

Phishing attacks have become more advanced and widespread since the early 2000s, following the growth of the world wide web. E-commerce and payment websites were common targets at first, followed by cryptocurrency and social media platforms. In 2022, 300,497 phishing attacks originating from the United States were reported to the Federal Bureau of Investigation (FBI). Losses totaled over $52 million. Phishing attacks account for 36 percent of all data breaches in the US, and 83 percent of companies experience a phishing attack attempt each year. Phishing scams have drastically increased in the US in recent years, with a 1,139 percent increase in reported phishing attacks from 2018 to 2022. A significant jump in unique phishing websites was noted during the beginning of the COVID-19 pandemic in 2020.

Graph showing the number of unique phishing websites every other quarter from 2013 to 2022. 2020 saw a 345 percent increase in unique sites.

In email phishing, phishers send out emails while disguising themselves as a legitimate, trusted sender, like a well-known company. The emails are usually sent out to millions of people, a practice called bulk email phishing. Because the phisher is attempting to appear as a legitimate sender in order to trick victims, they will ensure the email looks as similar to the real sender's emails as possible. To do this, the phisher will include things like the impersonated sender's logo within the body of the email. They may also cloak the sender's return address by including the real sender's domain name or spoofing it with one using different characters that look the same as the real one at first glance. The email's subject line is written in an attention-grabbing way in order to prompt the recipient to act quickly without thinking. Subject lines often claim time-sensitive issues like invoices or order problems, while the body of the email instructs the recipient on how to take action against the problem. From there, a victim might be instructed to click on a malicious hyperlink or attachment, which results in them revealing sensitive information or downloading malware to their device.

Clone phishing is an email-based attack in which the contents of a legitimate, previously delivered email are mimicked by the phisher, who then replaces the links or files in the email with malicious attachments. The email can be sent again to the recipient using a spoofed email address that appears as if it is from the original sender, whom the recipient already trusts.

Spear phishing is a type of phishing attack that targets specific individuals. The target is usually a person who has access to sensitive data or network resources. Spear phishing involves studying the target's web presence gathering the information needed to convincingly pose as a contact that the target trusts, such as a boss, colleague, vendor, or financial institution. A spear phisher may also pose as the victim.

Business email compromise (BEC) is a type of spear phishing attack against corporations or institutions. These attacks often involve the phisher posing as a C-level executive of the organization and messaging a lower-level employee with instructions to do things like transfer funds to a fraudulent account or place an order from a fraudulent vendor. A phisher may also gain access to a lower-level employee's email account, known as email account compromise (EAC). The phisher may then request sensitive information or payments from other employees or vendors by use of fraudulent invoices.

Whaling is a form of spear phishing that targets wealthy or otherwise high-value individuals, such as a C-level executive of a company. Like other phishing attacks, whaling attacks typically claim urgency in some important matter like a legal subpoena. In attacks against companies, a phisher may pose as the targeted executive and send scam emails to lower-level employees who may be easily fooled and not question the legitimacy of the request, thus making the attack more likely to succeed.

Voice phishing, or vishing, is phishing done via phone call. Phishers who perpetrate these attacks often spoof their caller ID number to make it appear as if the calls are coming from the victim's local area or from legitimate organizations. They may pose as an executive or official of an organization and demand payment from the victim for money they falsely claim is owed. In some vishing attacks, the phisher leaves a voicemail message requesting the victim to call back. Upon the call back, the victim is tricked into entering some sort of personal or sensitive information.

SMS phishing, or smishing, is a method of phishing through text messages or SMS. Smishing attackers often pose as a victim's own financial institution, cell phone provider, or some major company that the victim is familiar with. Smishing messages typically contain a link to a fake website that impersonates one of a real company. Upon clicking the link, the victim is prompted to enter some form of personal or account information. Sometimes malware is installed on the victim's device. Smishing attacks are typically more successful than email phishing attacks, as click-through rates for SMS range between 8.9 and 14.5 percent while the click-through rate for emails is only 1.33 percent. This could be because it is harder to verify links on smartphones than computers, and it is not uncommon for banks and companies to text customers with shortened URLs for legitimate purposes.

Social media phishing involves gaining access to a victim's social media account such as Facebook, Twitter, Instagram, or LinkedIn. To achieve this, the phisher will typically message the victim––either on the platform in question or through email––with a fake login page under the guise of an account issue. This reveals the victim's account credentials to the phisher, who can then gather other personal information about the victim to launch an attack. Additional social media accounts of the victim can also be compromised if they use the same login information for other platforms. After gaining access to an account, a phisher will often message people on the victim's friend list in order to further their attack. Messages may include malicious links to steal additional information, requests for personal information regarding the victim, or requests for money.

Browser hijacking, also called a browser redirect virus, involves the use of malware to modify a victim's internet browser without their consent. Browser hijackers are usually installed by downloading a malicious file or visiting an infected website. Sometimes they are hidden within browser extensions that a user willingly downloads. A browser hijacker may make changes to the browser's homepage, toolbar, and search engine settings, which can redirect the user to malicious cloaked websites that gather private information on the user. Some browser hijackers include various types of spyware such as adware, keystroke loggers, and ransomware.