September 1, 2024, 6:53 am | Read time: 8 minutes
Reports of new phishing attempts regularly make the rounds. But what is the origin of phishing? TECHBOOK explains the term and the many existing variations of this scam.
It may sometimes be forgotten, but everyone likely has it: the spam folder in their email program. This is where brazen scams usually end up, sometimes more convincing than others–and they generally fall under the category of phishing. The term is practically ubiquitous when it comes to internet security. But what is the origin of phishing? TECHBOOK explains the term itself and how the scam has evolved.
Overview
Origin of Phishing–The Trail Leads to the ’90s
Who truly coined the term phishing seems to be a matter of debate among historians. According to the blog “Graphus,” the well-known hacker and spammer Khan C. Smith came up with the word. He supposedly introduced it in a Usenet newsgroup. The website “Malwarebytes” states that he did this in 1996.
At the same time, the then-teenager Koceilah Rekouche might also be responsible for the creation of the term phishing, as indicated by a 2016 study in the Journal of General Internal Medicine on cybercrime against the U.S. health system. Rekouche himself claimed in a later published essay that someone in his circle called the scam “fishing” in 1995, and he later adopted the final spelling “phishing.”
Why “ph”?
Rekouche, known online as “Da Chronic,” learned in 1994 from hacker Dave Lusby about a scheme to trick AOL members by posing as an employee. This gained their trust and “fished” for their login details. This became the basis for the first automated software called “AOHell,” which Rekouche developed, where the first recorded mentions of “fishing” or “phishing” appeared.
Rekouche did not comment on how the alternative spelling with “ph” came about. However, according to Merriam-Webster, the theory is that it comes from “phreaking,” which was once the hacking of phone calls to avoid paying for them. The perpetrators were called “Phreaks” (short for “phone freaks”). Since hackers and Phreaks were closely linked, they supposedly adopted the spelling.
Phishing gained momentum in the ’90s, but as early as 1987, such a scam technique was demonstrated at a conference. It is unclear if there are earlier instances.
Also interesting: Common Phishing Scams at Sparkasse, ING, DKB
What is Phishing?
Phishing is the most widespread form of cybercrime and can affect individuals and companies alike. According to “Graphus,” up to three billion phishing messages were sent daily in 2022. The basic principles and goals of phishing have not changed over the decades. Cybercriminals still primarily aim to steal login, bank, or other sensitive data from unsuspecting individuals. They use common electronic communication channels such as email, websites, SMS, chats, or even direct phone calls.
Typically, the perpetrators pose as companies, businesses, or other individuals that the victims might know. Under false pretenses and creating a sense of urgency, they aim to get victims to reveal important details.
This is where the aspect of so-called social engineering comes into play–people are manipulated into giving up information using psychological tricks and a mix of trust and fear. Misleading links are often a central component. However, there are also variants without emails.
Commonly faked issues include sudden account closures, false payments, or even alleged free months on Netflix.
Beware of Fake DHL Pickup Notices
Fake QR Codes on Parking Meters! Police Warn of Scam
11 Different Types of Phishing
Criminal strategies have evolved. Phishing can now appear in many ways and forms. Below, we list the most common types:
Deceptive Phishing
The most common phishing method online. Criminals fake a company’s internet domain where victims are supposed to enter their data–which can then be intercepted. To lure them to these sites, convincing emails are sent, often with a link.
Sometimes the links are not clickable and must be manually copied into the address bar. In such cases, according to Kaspersky, security filters would have a hard time detecting the phishing attempt. Also misleading: the fake sites can hide behind seemingly secure HTTPS encryption.
Spear Phishing
Cybercriminals usually focus on quantity over quality with phishing emails. Not so with spear phishing. This is a targeted attack on individual people, using highly tailored techniques. This requires research and reconnaissance beforehand.
Because the messages are so well adapted to the recipients, spam filters have more difficulty recognizing them as scams. A conceivable spear phishing scenario could involve posing as an executive to get employees to divulge information.
Also interesting: Phishing Scam Threatens Amazon Customers with Account Suspension
Whale Phishing/Whaling
Whale phishing or whaling works exactly like spear phishing, but targets “whales”–high-ranking executives like CEOs. They possess particularly valuable information, so the potential damage can be significant. The phishing emails used are perfectly tailored to the target person, using information from search engines and social media. Correct salutations, names, titles, job descriptions, and other details are used to build trust.
Clone Phishing
Based on a real email with an attachment that the victim has already received, perpetrators create a deceptively real copy. The sender address appears legitimate, but all links and attachments are replaced with malicious ones. This often comes with the supposed information that a mistake was made in the previous (real) email.
Watering Hole Phishing
Predators often lurk at places their prey frequently visits–like watering holes. In cybercrime, this means perpetrators identify websites that potential victims frequently visit. They infect these sites with malware, gaining access to computers when someone revisits the site.
Evil Twin
People often log into public Wi-Fi networks to save mobile data. However, a fraudulent access point may be behind a seemingly legitimate offer to surf. The perpetrator finds the frequency and SSID of a hotspot, then sends their own signal with the real SSID. If someone logs into the wrong network, the perpetrator can read what others are doing online.
Search Engine Phishing
According to “Trendmicro,” criminals try to reach the top position in search results with this variant. They aim to exploit search engine queries by placing malicious links as high as possible. Unsurprisingly, they often use imitations of real websites, including banks or online stores.
Smishing/SMS Phishing
These phishing messages reach you via SMS. They also contain dangerous links. The frequently mentioned grandchild scam is a good example. More detailed information can be found in our separate Smishing article.
Vishing
Here, the perpetrators attempt a phishing attack through direct personal contact with the victim–via phone call. Often, a computer calls first and immediately hangs up. When called back, the criminal is on the line, often posing as a trustworthy or authoritative figure–such as a bank employee. They aim to extract important data.
Particularly insidious: artificial intelligence is now even used for phone scams.
Catphishing/Romance Scam
This tactic involves creating fake online personas. These are used to initiate romantic relationships that remain purely digital, such as through chat. The goal is to obtain money or sensitive information. However, according to “Warda,” catphishing focuses on accessing a specific person, while the comparable romance scam is solely about money.
A particularly bizarre case occurred in 2022 on Instagram in Japan. A senior woman was contacted by a supposed Russian astronaut claiming to be stuck in space. As reported by “Newsweek,” he needed money to return and promised to marry her, professing his love. She sent him the equivalent of $30,000.
Quishing
Most phishing attempts occur in the digital realm. Not so with quishing: here, perpetrators spread fake QR codes, for example, through fake bank letters, but also at charging stations for electric cars and even as fake parking tickets. This is reported by the Consumer Center of North Rhine-Westphalia in a warning.
Scanning the code leads to a malicious website, similar to other methods. At charging stations and with fake parking tickets, they lure with a convenient way to quickly pay the due amount.
What You Can Do Against Phishing
Anyone reachable by any modern technical device can become a target of phishing. Therefore, it is crucial to remain vigilant and carefully check incoming messages for authenticity. Here, we provide three quick tips for recognizing phishing emails.
If you don’t want to wait for a risky email to arrive but prefer to stay a step ahead, take a look at the Phishing Radar of the Consumer Center. It is continuously updated, and individual cases are comprehensively described. Regarding quishing, even the FBI has established seven rules for handling QR codes. Users should always consider these.