Despite its prevalence, phishing is not a tale as old as time. In fact, these email scams originated around 1995 but has taken 10 years before common folks knew what it meant.
A play on the word “fishing,” phishing is the act of sending an email to a person claiming to be a legitimate enterprise. In the phishing email, the user is often redirected to a website where scammers trick them to update their personal information, which includes bank account numbers, social security number, credit card information or passwords.
Phishing scams have been making serious problems for both people and businesses since day one in terms of online and IT security. In this article, we will tackle how it evolved, as well as the latest effective phishing techniques that target modern enterprises.
Evolution of Email Scams
Based on internet records, the term “phishing” was first mentioned in a Usenet newsgroup called alt.online-service.america-online on January 2, 1996.
America Online (AOL) was once the number one internet provider in the United States with millions of daily online users. Its popularity became the natural and best stage for hackers.
At first, the hackers, as well as the users who traded pirated software used AOL to talk to each other. This gave birth to the so-called “warez community,” and it became the first group to roll out phishing attacks.
Hackers used algorithms to create randomized numbers for credit cards. In the middle of all the algorithm-based guesses, they hit the right combinations eventually. They soon used the credit card numbers to open new AOL accounts, which were utilized as the dummy accounts to spam other online users and do a lot of damage. They also used “AOHell,” a special program that made the process simpler for hackers to send bogus emails.
When AOL finally added security measures in 1995 that prevented using randomized credit card numbers, the practice was put on hold. However, this gave birth to the phishing attacks.
Hackers used AOL’s email and instant messenger systems to send messages to users claiming to be AOL employees. In this scheme, they asked users to update or verify several accounts or billing information. Phishing was in its infancy stage, and many people fell prey to the ruse.
Since then, “phishers” have used the same technique to trick online users to verify sensitive information. In 2001, the scammers targeted online payment systems, and the first attack was made in June 2001 on E-Gold. While its first attempt was not successful, it set the foundation.
In the latter part of 2003, phishers registered several domains that mimicked established online payment systems such as Paypal and eBay and then sent phishing emails to legitimate users. These bogus emails led the users to fake sites where they were asked to update several information.
By 2004, phishers went for the big boys—banking sites. In recent years, more sophisticated phishing schemes were created, and they continue to do damage to online users and businesses.
Business Email Compromise
Also known as the “CEO Fraud,” the so-called Business Email Compromise (BEC) is a new scheme wherein hackers compromise the email account of a business executive. Hackers use the compromised email account to send messages to employees asking them to wire large amounts of money into foreign accounts.
Based on the figures from the U.S. Federal Bureau of Investigation, BEC schemes have affected about 22,000 companies around the world with approximately $3.1 billion in total losses.
Here are some of the techniques and plausible scenarios BEC schemes can target your organization, and why a regular and stringent IT audit is a vital component of business operations.
Other Names: Business Executive Scam, Masquerading, Financial Industry Wire Fraud
In this scheme, phishers target the email account of business executives and send urgent messages to employees asking them to wire money to a fake account due to an emergency. Sometimes, phishers send messages to banks and other financial institutions.
Bogus Invoice Scheme
Other Names: Supplier Swindle; Invoice Modification Scheme
This works especially for businesses working with international suppliers. In this scheme, phishers contact the company using a fake email or fax message or even through a phone call, informing them that there has been a change in the payment location in the original invoice. Phishers, then, ask the business to wire the funds to a fake account.
In this phishing scheme, business emails are hacked, not spoofed. Phishers take over the hacked email account and send emails to several vendors in the business email’s contact list. In the phishing emails, the hacked account requests vendors to wire payments in controlled bank accounts.
In this scheme, phishers compromise the business emails of specific company employees to get personal information. For instance, a hacked HR employee email will send requests to other staff asking them to identify personal information. The phished data will then be used to make more damaging attacks to the company.
In this scheme, phishers claim to be lawyers or law firm representatives. They contact either CEOs, members of the leadership team, or even employees telling them about a confidential and time-sensitive matter that involves quick payments or settlements. They can also make contact via phone calls, and all the attacks are timed well, usually during the end of the work day or week when people are most likely to panic and act on impulse.
As technology evolves, more phishing techniques will be born. Apart from arming yourself with information, it is best to stay vigilant and do not engage in dubious emails. If you receive a suspicious email from your organization, the first thing you need to do is report the phishing email to the IT security team.