The origin of the name “phishing” is easy enough to trace. The process of performing a phishing scam is much like actual, aquatic fishing. You assemble some bait designed to deceive your victim, then you cast it out and hope for a bite. As for the digraph “ph” replacing the “f,” it could be the result of a portmanteau of “fishing” and “phony,” but some sources point back to another possible origin.
In the 1970s, a subculture formed around the practice of using low-tech hacks to exploit the telephone system. These early hackers were called “phreaks”—a combination of “phone” and “freaks.” At a time when there weren't many networked computers to hack, phreaking was a common way to make free long-distance calls or reach unlisted numbers.
Even before the actual phishing term took hold, a phishing technique was described in detail in a paper and presentation delivered to the 1987 International HP Users Group, Interex.
The use of the name itself is first attributed to a notorious spammer and hacker in the mid-1990s, Khan C Smith. Also, according to Internet records, the first time that phishing was publicly used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. At the time, America Online (AOL) was the number one provider of Internet access, with millions of log-ons daily.
Naturally, AOL's popularity made it a target for fraudsters. Hackers and software pirates used it to communicate with one another, as well as to conduct phishing attacks on legitimate users. When AOL took steps to shut down AOHell, the attackers turned to other techniques. They sent messages to AOL users claiming to be AOL employees and asked people to verify their accounts and hand over billing information. Eventually, the problem grew so bad that AOL added warnings on all email and instant messenger clients stating "no one working at AOL will ask for your password or billing information."
“Social networking sites became a prime phishing target.”
Going into the 2000s, phishing turned its attention to exploiting online payment systems. It became common for phishers to target bank and online payment service customers, some of whom—according to subsequent research—might have even been accurately identified and matched to the actual bank they used. Likewise, social networking sites became a prime phishing target, attractive to fraudsters since personal details on such sites are useful for identity theft.
Criminals registered dozens of domains that spoofed eBay and PayPal well enough that they passed for the real thing if you weren't paying close enough attention. PayPal customers then received phishing emails (containing links to the fake website), asking them to update their credit card numbers and other personally identifiable information. The first known phishing attack against a bank was reported by The Banker (a publication owned by The Financial Times Ltd.) in September 2003.
By the mid-2000s, turnkey phishing software was readily available on the black market. At the same time, groups of hackers began to organize in order to orchestrate sophisticated phishing campaigns. Estimated losses due to successful phishing during this time vary, with a 2007 report from Gartner stating that as many as 3.6 million adults lost $3.2 billion between August 2006 and August 2007.
“In 2013, 110 million customer and credit card records were stolen from Target customers.”
In 2011, phishing found state sponsors when a suspected Chinese phishing campaign targeted Gmail accounts of highly ranked officials of the United States and South Korean governments and militaries, as well as Chinese political activists.
In perhaps the most famous event, in 2013, 110 million customer and credit card records were stolen from Target customers, through a phished subcontractor account.
Even more infamous was the phishing campaign launched by Fancy Bear (a cyber espionage group associated with the Russian military intelligence agency GRU) against email addresses associated with the Democratic National Committee in the first quarter of 2016. In particular, Hillary Clinton's campaign manager for the 2016 presidential election, John Podesta, had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).
In 2017, a massive phishing scam tricked Google and Facebook accounting departments into wiring money, a total of over $100 million, to overseas bank accounts under the control of a hacker.
In the 1970s, a subculture formed around the practice of using low-tech hacks to exploit the telephone system. These early hackers were called “phreaks”—a combination of “phone” and “freaks.” At a time when there weren't many networked computers to hack, phreaking was a common way to make free long-distance calls or reach unlisted numbers.
Even before the actual phishing term took hold, a phishing technique was described in detail in a paper and presentation delivered to the 1987 International HP Users Group, Interex.
The use of the name itself is first attributed to a notorious spammer and hacker in the mid-1990s, Khan C Smith. Also, according to Internet records, the first time that phishing was publicly used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. At the time, America Online (AOL) was the number one provider of Internet access, with millions of log-ons daily.
Naturally, AOL's popularity made it a target for fraudsters. Hackers and software pirates used it to communicate with one another, as well as to conduct phishing attacks on legitimate users. When AOL took steps to shut down AOHell, the attackers turned to other techniques. They sent messages to AOL users claiming to be AOL employees and asked people to verify their accounts and hand over billing information. Eventually, the problem grew so bad that AOL added warnings on all email and instant messenger clients stating "no one working at AOL will ask for your password or billing information."
“Social networking sites became a prime phishing target.”
Going into the 2000s, phishing turned its attention to exploiting online payment systems. It became common for phishers to target bank and online payment service customers, some of whom—according to subsequent research—might have even been accurately identified and matched to the actual bank they used. Likewise, social networking sites became a prime phishing target, attractive to fraudsters since personal details on such sites are useful for identity theft.
Criminals registered dozens of domains that spoofed eBay and PayPal well enough that they passed for the real thing if you weren't paying close enough attention. PayPal customers then received phishing emails (containing links to the fake website), asking them to update their credit card numbers and other personally identifiable information. The first known phishing attack against a bank was reported by The Banker (a publication owned by The Financial Times Ltd.) in September 2003.
By the mid-2000s, turnkey phishing software was readily available on the black market. At the same time, groups of hackers began to organize in order to orchestrate sophisticated phishing campaigns. Estimated losses due to successful phishing during this time vary, with a 2007 report from Gartner stating that as many as 3.6 million adults lost $3.2 billion between August 2006 and August 2007.
“In 2013, 110 million customer and credit card records were stolen from Target customers.”
In 2011, phishing found state sponsors when a suspected Chinese phishing campaign targeted Gmail accounts of highly ranked officials of the United States and South Korean governments and militaries, as well as Chinese political activists.
In perhaps the most famous event, in 2013, 110 million customer and credit card records were stolen from Target customers, through a phished subcontractor account.
Even more infamous was the phishing campaign launched by Fancy Bear (a cyber espionage group associated with the Russian military intelligence agency GRU) against email addresses associated with the Democratic National Committee in the first quarter of 2016. In particular, Hillary Clinton's campaign manager for the 2016 presidential election, John Podesta, had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).
In 2017, a massive phishing scam tricked Google and Facebook accounting departments into wiring money, a total of over $100 million, to overseas bank accounts under the control of a hacker.