Phishing scams are commonplace today, but that wasn’t always the case. Even though most people have figured out it's not a good idea to wire money to self-proclaimed Nigerian princes, many still fall for phishing attempts hook, line, and sinker.
Let's take a look at the origins of phishing, how it has evolved, and why it's important for IT consultants to educate clients about phishing attacks.
The Early Days of Phishing Scams
It may feel like phishing scams have plagued us forever, but they only date back to 1995. According to Phishing.org, the origins of phishing can be traced to the early days of America Online (AOL).
"AOL was the primary way that hackers used to communicate with one another," says
Steven Hausman (@StevenHausman), Ph.D.,
Hausman Technology Presentations.
"Initially these phishers attempted to steal user passwords by using a computer program called AOHell to generate legitimate credit card numbers along with fake phone numbers and addresses. This didn’t work especially well, but occasionally they were able to generate a seemingly valid number and it could be used to open an AOL account that was used to spam other computer users."
AOL eventually caught on and shut that scam down, so hackers moved on to impersonating AOL employees. Using AOL's instant messenger and email systems, hackers requested users to verify their accounts or to confirm their billing information, giving them access to users' passwords and credit card numbers. Voilà – the birth of phishing!
"Because this ruse had never been used previously, it seemed legitimate. Many AOL users were duped in this manner until AOL started to warn people on its message sites not to provide financial information when asked," says Hausman.
The Evolution of Phishing
As the use of the Internet and email grew in popularity, so did the number of email phishing scams.
"Phishing evolved into sending automated campaigns to thousands, if not millions, of people to steal their credentials," says
Stu Sjouwerman (@StuAllard),
founder and CEO of
a company that provides security awareness training and maintains the website Phishing.org. “There are five generations of cybercrime, and each generation has used increasingly sophisticated versions and flavors of phishing, like campaigns we see today where an attachment includes a ransomware strain which can take the whole network hostage."
For a recent example of that kind of attack, read "Why IT Consultants Should Use the WannaCry Cyberattack as a "Teaching Moment""
Many phishers are amateurs, sending emails that are easily identifiable as phishing attempts thanks to their rampant spelling and grammar mistakes. However, there are also some pretty crafty folks who are turning phishing into an art.
"Phishing actors adjust the same way a security analyst would, so it's like a constant game of chess – except they have more pieces and are always on the offensive," says
William MacArthur, a
threat researcher for
Sjouwerman says there are two primary tactics phishers use. The first is goading victims into action by preying on their desire to prevent a supposed negative consequence.
"That can be, 'Don't get locked out of your email account' or 'You're running out of space on the mail server,' or 'You need to verify your credentials for Microsoft 365,'" says Sjouwerman.
The second offers a positive incentive for victims to click, such as a prize or major discount. According to fact-checking website Snopes, one recent example of a benefit-driven phishing scam was a fake Bed, Bath & Beyond coupon offer on Facebook. Victims were instructed to complete a phony survey, which mined their personal data – and never resulted in a coupon.
This is just one example of how phishers are continuing to refine and expand their techniques beyond email.
"Phishing has spread beyond the inbox to mobile apps, social media, and instant messaging platforms and replicates exactly the apps we trust with sensitive data every day to fool people," says MacArthur. "One thing has always been the same in phishing attacks: social engineering, i.e., luring people into clicking on a link and providing information so it can be captured and sent off to a drop zone."
Despite the evolution, email remains the primary weapon of choice for phishers. According to Symantec's 2017 Internet Security Threat Report, one in 131 emails contained malware, the highest rate in five years. This is why IT consultants should continue to stress with clients the very real danger phishing emails pose to their companies.
Why IT Consultants Should Teach Their Clients about Phishing
Phishers can encrypt or steal a company's data with just one email. If your client is hacked, they may try to place the blame on the one person they can sue – you. (Related reading: "Digital Assets and Third-Party Cyber Liability: What IT Professionals Should Know.")
That's why it's important for IT consultants to train clients on how to recognize phishing attacks. One conversation won't cut it either – it needs to be a continuous educational process. That's because phishers constantly change their tactics.
"Security technology is evolving to detect phishing, but threat actors are always adapting," says MacArthur. "They notice patterns by anti-phishing groups and alter code and use redirects to bypass the detection logic of these systems to continue to deliver their phishing payloads."
Even if your clients become hip to the ways of phishing scammers, their employees may not. This is why Sjouwerman stresses the importance of phishing prevention training not only for business owners, but their employees as well.
"At [KnowBe4's] new school security awareness training, we do a phishing test – a simulated phishing attack – and see how many people click," says Sjouwerman. "For example, you might say, 'Holy moly, 20 percent of my employees clicked on this link,' and that's what you use as a catalyst to do something about this."
After the initial phishing test training, Sjouwerman recommends you continue to simulate attacks until your employees become ninjas at avoiding the phishers' nets.
For more on why a client's phishing attack could be bad for your business, read "IT Professionals: Even with Great Tech, Companies at Risk."
About the Contributors
Dr. Steven J. Hausman
is a nationally top-ranked speaker in the areas of science, technology, engineering, and medicine. He is a recognized futurist, technology consultant, and author. His speaking specialties include robotics and artificial intelligence, nanotechnology, 3D printing, bionics and human enhancement, wearable technology, biometrics, autonomous and electric vehicles, the Internet of Things, the history of technology, brain-machine interfaces, cybersecurity, and security risks of emerging technologies.
is a threat researcher for RiskIQ, focusing on the large array of web threats within the company's vast data set. His past has been mainly at a registrar / hosting provider, which was highlighted by several large investigations, including the identification of domain shadowing victims since 2010, sinkholing C2 domains for Flame Malware, hundreds of thousands of domain suspensions, phishing investigations, server cleanup and, later, mitigation of large-scale DDOS attacks and ISOC duties.
is the founder and CEO of KnowBe4, the provider of the world's most popular integrated new-school security awareness training and simulated phishing platform. KnowBe4 is experiencing explosive yearly growth of 300 percent and services over 2,500 organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government, and insurance. Sjouwerman is the author of four books. His latest is "Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008