A look at the history of phishing reveals that the first phishing email is thought to have originated sometime around the year 1995. The first many knew of the existence of phishing was five years later when the Love Bug struck. Fast forward almost twenty years and phishing is the number one attack vector for compromising an organization and stealing data. How did we get to this point? When did the bad guys get so savvy? Maybe there are some clues in the history of phishing.
The History of Phishing Started in the 1990s
Back in the early to mid-1990s, the only Internet option was ‘dial-up’ access for a fee. For those that were reluctant to pay for Internet access, the alternative was a thirty days free trial to access to the Internet via an AOL floppy disk. Rather than face life without the Internet after the trial period expired, some found a way to change their screen names to make it appear as if they were AOL administrators. Using these phony screen names, they would “phish” for log-in credentials to continue accessing the Internet for free.
As Internet use increased in popularity, scammers adapted these tactics to disguise themselves as administrators from an ISP, emailing the accounts of the ISP’s customers to elicit user login credentials. Having spoofed someone, the hacker could access the Internet from that user’s account with the bonus of sending spam from the user’s email address.
The Love Bug of 2000
A change in tactics saw the world fall victim to the Love Bug on May 4 2000. Starting in the Philippines, mailboxes around the globe were filled with a message titled “ILOVEYOU”. The message body simply said “Kindly check the attached LOVELETTER coming from me”.
Those who could not resist unearthing their secret crush, opened what they thought was a harmless .txt file, only to unleash a worm that did damage on the local machine. The worm overwrote image files and sent a copy of itself to all the user´s contacts in their Outlook address book.
‘LoveBug’ showed how to get spam to send itself and that, with a cleverly designed virus that preyed on human psychology and technical failings, malware could rack up enormous numbers of victims. In all about 45 million Windows PCs were thought to have been hit.
The history of phishing shows that, although delivery methods have evolved over two decades to evade detection by spam filters and other technology, the tactics employed by phishers have remained fairly consistent. It would seem logical that people should have learned to avoid the trap of surrendering login credentials, clicking links or even opening attachments. Yet this is still an effective tactic for hackers. Why?
While the phisher’s tactics may not have changed, the stakes have. Now, instead of getting free Internet access, phishing scams can wreak havoc on the world economy. Why put in the work to break through a firewall, when a well-crafted phishing email can be just as effective in giving the hacker access to sensitive information.
One key development has been the rise of social media. As previously mentioned, just 10 years ago there was little to no information available over the Internet about organizations and the people who worked for them. Today, almost everyone at every organization has a LinkedIn, Facebook, or Twitter account, some will have all three.
While a key business tool, these social media sites offer a veritable gold mine of personal information that criminals can, and do, use to personalize emails to specific recipients – a practice known as spear phishing.
Think about the amount of information a criminal can find about a company just through LinkedIn. Using that as a starting point, the hacker can then delve deeper into the personal lives of targets through Facebook and Twitter.
An email coming from a (seemingly) familiar or authoritative source, dealing with a relevant topic puts the recipient at ease. Personalized details only add to the authenticity and peace of mind the recipient experiences, making the likelihood of interaction with the links or attachments quite high.
The stakes, coupled with the minimal resources required to execute an attack, have made spear phishing the choice for criminals seeking access to the sensitive data stored on the networks of large organizations and corporations. Target, Home Depot and Anthem are just three of the latest high-profile breaches that are believed to have started with an employee falling victim to spear phishing.
Activate Your Human Sensors
While it would seem logical that technological defenses will improve, the recent history of phishing implies it is unlikely technology will ever fully prevent spear phishing emails from reaching an employee’s inbox. Therefore, it stands to reason that crowdsourcing phishing detection allows the first line of defense to report attacks as soon as they hit the network.
A good analogy is the fruit vendor who helped prevent a terrorist attack in Times Square back in 2010. In this instance, a vendor tipped off police after noticing that a car had been parked for several hours on a street in Times Square – an unusual occurrence in such a busy area. The car turned out to be loaded with explosives.
Although a crowded area like Times Square was equipped with expensive surveillance equipment and had a large police presence, the vendor’s knowledge of the streets made him the best person to identify suspicious activity. On a network, users are often the first to receive attacks, making their reports of suspicious email vital intelligence in preventing data breaches.
Here is a list of five phishing training tips to help set the workforce to stun:
- Educate the workforce so that they view their inbox with suspicion. For example, what will the IT team do? What information will they ask for? This way users are less likely to fall for a phisher trying to unearth a user’s credentials.
- Introduce a process that encourages users to report suspicious messages and emails, while also including feedback so they understand what it makes the message legitimate or a phishing threat.
- Use this intelligence to help other users hone their detective skills, perhaps sharing ‘scams of the month’ via a security newsletter.
- By collecting user reports of suspicious emails and analyzing TTP – such as email content, headers, and URLs, organizations can recognize patterns and take preventive action
- Over time, organizations should track individual reporting trends and priorities reports from those users who have a strong history of positively identifying and reporting phishing emails.
The reason phishing continues to be effective remains the same – humans are attacking humans. Instead of leaving your workforce vulnerable, give them the power to shield the enterprise.
Frequently Asked Questions
Phishing is a type of cybercrime most often using email. Phishing threat actors pose as a legitimate organization in malicious emails to convince recipients to click on a link, download a file or take some other action that advances attacker objectives. Often urgency or threat messages and subject lines are used to compel engagement and hasty compliance to the action requested. An attacker’s goal is usually to harvest credentials, personally identifiable information, banking and credit card details and other sensitive information. Once acquired, the information is used for malicious purposes such as identity theft, ransomware attack, credit card fraud and more.
The origins of phishing date to the 1990s as internet access and use expanded, and email became more widely used. A particular milestone was marked in May 2000 when email users worldwide received messages with the subject line “ILOVEYOU”. The message included a .txt file that launched a worm to, among other things, overwrite image files. Another milestone was a 2004 legal claim against a teenager who spoofed an ISP website to attain access to users’ credit card and bank accounts.
Many businesses approach phishing protection by implementing secure email gateways (SEGs) from Microsoft or other vendors. However, threat actors regularly circumvent these types of controls. For this reason, cybersecurity experts recommend adding layers of protection. Best practices call for a comprehensive approach that brings to bear advanced security software and high-quality conditioning for employees, often via real-world simulations. The objective is to enlist employees as human sensors equipped to serve as a last line of defense when malicious email penetrates a security perimeter.