Phishing is an attack method that has been around since the mid-1990s. It started when a group of young people engineered AOL’s chat room feature to impersonate AOL administrators. They stole credit card numbers from other users to ensure they would always have free AOL access.
AOL’s “new member chatroom” was designed for users to receive site access assistance. The hackers created what appeared to be valid AOL administrators’ screen names like “BillingAccounting,” and told users that there were issues with their account.
The user was asked to provide a card number to get the issues resolved. The criminals then used the card numbers to pay for their own accounts. While the term “phishing” was coined to describe this attack and others like it, it has now come to be associated primarily with email scams. Phishing scams continue to this day in abundance. According to the Verizon 2021 Data Breach Investigations Report (DBIR), 36% of breaches involved phishing.
Since phishing primarily relies on social engineering, it is critical for all users to understand how the attackers work to exploit human nature. First, social engineering is a con that hackers use to convince users to do something they wouldn’t normally do.
Social engineering could be as simple as someone with full hands asking that a door be opened. Similarly, a social engineering attack can start with someone dropping USB thumb drives labeled “family photos” in a parking lot. These USB thumb drives could contain malware that gets installed onto a computer, compromising security in some way. This is known as baiting.
Phishing is primarily used in reference to generic email attacks. This is when an attacker sends out emails to as many addresses as possible, using common services like PayPal or Bank of America.
The email states the account is compromised and prompts you to click on a link to verify that the account is legitimate. The link will usually do one of two things, or both:
- It can take you to a malicious website that looks similar to the authentic site, for example, “www.PayPals.com” versus “www.PayPal.com.” Note the extra “s” on the first URL. Once you go to the malicious website, the hacker can capture your user ID and password when you attempt to log in.
The hacker now has access to your bank account and is able to transfer money anywhere. There is a second possible benefit, though. The hacker might now have a password that can be used for your other accounts, including Amazon or eBay.
- It can infect your computer with downloaded malicious software called malware. Once installed, the software can be used for future attacks. The malware could be a keystroke logger that captures logins or credit card numbers or it could be ransomware that encrypts drive contents and holds them for ransom, usually in the form of Bitcoin.
It is possible at that point for the hacker to use the infected computer to mine for Bitcoin. This can be done when you are not on the computer, or the malware could lock you out of part of the CPU’s capability at all times. The hacker can now successfully mine for Bitcoin and your computer typically functions more slowly.
Phishing has evolved throughout the years to include attacks that address different types of data. In addition to money, attacks can also target sensitive data or photos.