A Brief History on Phishing Scams

What is Phishing?

Phishing is just what it sounds like "fishing." Only instead of sporting for fish, phishers try to bait a sea of Internet users into giving them personal - and usually financial - information. Criminals spam thousands of computer users with spoofed emails and copycat websites designed to fool you into revealing data such as credit card numbers, account usernames and passwords, social security numbers, etc.

Typically, a phishing scam works like this: you get an email that seems to come from a trustworthy company - maybe a well-known bank or online retailer - containing a message intended to alarm you into taking action. In common phishing scams, the emails use pressure tactics, by warning that failure to respond will result in you no longer having access to your account. Other emails prey on fear, claiming that the company has detected suspicious activity in your account or is implementing new privacy software or identity theft solutions. Then the same email provides a convenient link to take you to a copycat website. Now at that page, you're prompted to enter personal information, which is then captured by the fraudster.

Where does "Phishing" Come From?

Sometimes it's said the term "phishing" stands for "password harvesting fishing." Most likely that acronym was coined retroactively. The term probably comes in the analogy that these phishing scam artists are fishing for victims:  they throw out a ton of bait - spamming with all those copycat emails - and only need a few people to bite. 

As for the "ph," that's a common hacker replacement for "f," and a nod to the original form of hacking, known as "phreaking."  The term "phreaking" was coined by the first hacker, John Draper, and this is the origin of a lot of the "ph" spelling in various hacker organizations and pseudonyms. In the early 1970's John invented "phone phreaking" by creating the notorious Blue Box, a device he used to hack telephone systems. The Blue Box emitted tones that gave its user control over the phone switches, making it possible to bill calls to someone else's phone number or call long distance for free.

Obviously hacking later spread to the internet, and, decades later in 1996, hacked accounts were being called "phish."  By 1997 phish were actually being traded between hackers as a form of currency. Hackers would regularly exchange ten working AOL phish for a piece of software that they wanted.

Over the years, phishing scams have grown from simply stealing AOL dialup accounts into a much more threatening criminal enterprise. Phishing attacks now target financial institutions, users of online banking, payment services such as PayPal, and online ecommerce sites like eBay. Phishing fraud is growing quickly in number and sophistication. In fact, the Anti-Phishing Working Group reports that since August 2003 most major banks in the USA, the UK and Australia have been hit with phishing attacks.

Phishing scam tactics have been used in letter and fax scams such as the Nigerian Scam, or Advance Fee Fraud. You may know the one: you receive a pleading message stating the sender has a millions of dollars, and needs help transferring it out of Nigeria, or some other country. To reward you for helping, the sender promises to pay you a third of the money. Once you respond, the sender explains that there are transfer fees for the transaction, and you'll need to pay them. The Nigerian Scam may seem a bit obvious, but it's still being emailed around. This scam is a close cousin to early phishing emails: before 2003, phishing emails were text-heavy and sprinkled with spelling errors and poor grammar that tipped recipients off. Naturally, though, as Internet users grow more savvy, phishers do too - their writing and design skills are sharper, creating messages that are more difficult to see through. Check out this brief timeline to see the development of phishing:

August 2003:

Most major banks in the USA, the UK, and Australia are hit with phishing attacks.

September 2003:

Phishers buy look-alike domain names, like yahoo-billing.com and paypa1.com. They also build websites that contain the names of well-known brands and companies, such as ebay-fulfillment.com or microsoft.checkinfo.com.

October 2003:

Phishers incorporate copycat website designs into their emails, complete with stolen logos and fake return email addresses that appear to come from a real company.

• An email worm is released, targeting customers of the online payment service PayPal. The recipients are asked to update their credit card information via a copycat website of PayPal's member services page. Later versions demand a date of birth, mother's maiden name, and Social Security number - information that financial companies rely on most to verify their customers' identities.

December 2003:

Phishing emails send recipients to a fake pop-up for account log-ins, while a real banking website opens in the background. This method is particularly convincing because the authentic site and the pop-up appear to be from the same source.

• Reports of phishing attacks rise more than 400% over the holidays, according to the Anti-Phishing Working Group.

January 2004:

A standard phishing tactic emerges: after giving up personal financial information on a phishing site, the victim is redirected to the real website of the company being targeted. This psychological trick helps erase doubts that victims may have about the experience and allows more people to be swindled.

• Phishers target the government, sending out emails posing as the Department of Homeland Security, the Internal Revenue Service, and the Federal Deposit Insurance Corporation.

February 2004:

Phishing websites begin submitting stolen username and password information to a real site to verify its authenticity. If the phished data fails to successfully login, the victim is prompted to enter a valid user name and password.

April 2004:

Phishers now conceal what is usually the weakest part of their scams - the unconvincing Internet addresses that appear in the web browser after clicking on the link in a phishing email. New programming tricks hide the URL of the phishing site with that of the company being impersonated.

May 2004:

57 million U.S. adults think they have received a phishing email. More than 1.4 million users are victims of identity theft fraud, costing banks and card issuers $1.2 billion in direct losses in 2003, reports research and analysis company Gartner Inc.

June 2004:

Loads of public websites are infected with a new virus capable of stealing private account information when someone visits. Once inside a victim's PC, the virus waits until that person visits banking sites, then launches a pop-up that requests personal financial information.

July 2004:

Scammers begin sending phishing messages through America Online's Instant Messenger (AIM) program.

August 2004:

Phishers send emails impersonating the website of Massachusetts Sen. John F. Kerry's presidential campaign, hoping to pocket online campaign contributions.

• Phishing tool kits - containing spamming software, along with graphics, web code and text required to construct copycat websites - are supposedly available for free download, reports UK internet magazine WebUser.

September 2004:

Research and analysis company Gartner Inc. report that while criminals use many methods and means to steal consumer information, identities and money, online-related fraud is rising the fastest.

October 2004:

Scammers open legitimate-seeming, fake online banks, pharmacies, and mortgage-and-loan firms to steal credit card numbers. Online security company Websense reports that these more sophisticated scams now outnumber standard fly-by-night phishing sites.

• For the first time in the world, charges relating to phishing are pressed against two men and two women in a London court. The four people were allegedly part of a gang that conned consumers into handing over confidential bank details via phishing emails.

December 2004:

The Digital PhishNet is founded, a joint enforcement initiative between industry and law enforcement designed to catch and prosecute those responsible for committing crimes through phishing.

January 2005:

12,845 new, unique phishing email messages are reported, a 42% increase since December 2004, states the Anti-Phishing Working Group.

February 2005:

A more sophisticated PayPal scam surfaces - instead of asking email recipients to simply confirm their account details, these phishers steal personal financial information by informing users about an additional address to their PayPal account. Like true confirmation emails, the message prompts recipients to click a convenient link if they have not authorized this change.

• Senator Patrick Leahy introduces a federal bill (the Anti-phishing Act of 2005) that would result in criminal charges for anyone who creates fraudulent websites and sends misleading email with the intent of phishing. To read the bill, click here.

March 2005:

Phishers utilize DNS redirecting, misdirecting Internet users from popular sites, such as eBay or Google, to spoof web servers that silently install spyware on users' PCs. One expert warns that future attacks could be virtually undetectable - there would be no indication on users' browsers whether the sites they were visiting were legitimate or not.

MONTH 2005:

US Department of Justice releases a special report on phishing, warning Internet users of the common tactics used in phishing scams and specific federal laws phishing violates.