Author: Paul Gillin
The history of phishing has made these email-borne attacks one of the most serious cyber security threats of our time—and one of the hardest to combat with technology. Education and user vigilance continue to be an organization's best defenses.
Phishing is the practice of sending fraudulent emails, usually purporting to be from a friend or a well-known business, with the intent of duping recipients into giving up sensitive information, such as passwords or credit card numbers. In 2020, phishing was responsible for more than 80% of reported security incidents. It's one of the most common vectors for ransomware, which encrypts data and renders computers useless. An analysis of more than 55 million emails by cloud security provider Avanan found that one email in 99 contains a phishing attack. The 2020 Verizon Data Breach Investigations Report found that 22% of all data breaches involved phishing, and dark web monitoring firm ID Agent estimates that phishing attacks have increased more than 600% since the start of the COVID-19 pandemic.
The first phish
It's thought that the first phishing attacks happened in the mid-1990s, when a group of hackers posed as employees of AOL and used instant messaging and email to steal users' passwords and hijack their accounts. In the early 2000s, attackers turned their attention to financial systems, first launching attacks on the digital currency site E-Gold in 2001. By 2003, phishers started registering domain names that were slight variations on legitimate commerce sites, such eBay and PayPal, and sending mass mailings asking customers to visit the sites, enter their passwords and update their credit card information.
A growing threat
As social networks proliferated, phishing attacks started harvesting personal data to customize messages to better fool recipients. This gave rise to the spear phishing variant, in which attackers research their targets to personalize their messages and enhance their chances of success, and the whaling variant, in which highly customized attacks target executives or wealthy individuals to steal sensitive information or convince them to wire large sums of money.
As time went on, phishers got savvier. They developed techniques to disguise their real email addresses and even developed a way to hijack email threads and impersonate trusted sources. They expanded their attack vectors to include social networks, instant messaging apps and SMS text messages, which are exceedingly challenging to monitor or filter. They spoofed approval emails that direct marks to fraudulent DocuSign sites to authorize wire transfers.
The history of phishing has even expanded to voice; phishers can now use voicemail messages or over-the-phone impersonations to fool potential victims into thinking that a phishing attack is legitimate. The phisher's varied toolkit is their biggest asset—too many people are unaware of how many ways they could be targeted.
Shifting tactics
Phishing emails soon became the primary delivery mechanism for ransomware, which hijacks a victim's data or systems and extorts money for their return. The Cryptolocker attack of 2013 was the first widely reported instance of ransomware, and the phenomenon came to a head with WannaCry, which started infecting computers worldwide in 2017 and continues to ravage businesses today. According to the MIT Technology Review, ransomware attacks netted $7.5 billion in the US alone in 2019.
The earliest ransomware emails usually contained an attachment that appeared to be a familiar file type, like a PDF file or a Word document. In reality, they were masked executable files (“.exe”) that unleashed malware that searched the user's local and cloud storage for files to encrypt. Modern variants can replicate across networks and automatically forward malicious emails to contacts in a victim's address book. And ransomware authors can now launch attacks from a single click on a website—and phishing attacks are still almost always the bait. Over the past two years, phishing-based ransomware attacks have increasingly targeted hospitals, municipal governments and utilities, increasing their leverage by threatening widespread disruption.
Fighting the history and evolution of phish
Email service providers haven't been standing still. Phishing filters are steadily becoming more sophisticated; they can now vet URLs and attachments in emails against known malware sources. Microsoft said that it blocked more than 13 billion malicious and suspicious emails in 2019, 1 billion of which contained a phishing attack. Users are getting savvier, too—phishing-based breaches are down 6.6% from 2019, according to the 2020 Data Breach Investigations Report, and click rates are as low as they've ever been at 3.4%. As seen in the 2021 Data Breach Investigations Report, around 40% of the breaches now are social attacks compromising people through phishing emails and websites delivering malware.
Still, the history of phishing has proven and remains a fruitful method for attackers, and there is no foolproof solution to it. User education remains the defense. Google's phishing quiz can illuminate just how devious these attacks can be. Some companies have set up internal accounts that employees can report suspicious messages to and forward them for testing in a secure environment. Virtualizing user desktops so that malicious code can't touch the hardware or infect others on the network is another effective route to minimizing the malware threat.
Proactive preventive measures won't stop the continued history of phishing attacks. They still won't stop a careless executive from wiring $243,000 to a criminal based on a single phishing message and fake phone call. But they can reduce the risk that a ransomware attack can bring your entire company grinding to a halt.
Learn how Verizon's security solutions deliver comprehensive threat intelligence and response capabilities.
The author of this content is a paid contributor for Verizon.