Phishing
Phishing is a fraudulent scheme employed by identity thieves, commonly known as "phishers," to obtain sensitive personal and financial information from unsuspecting victims. This method often involves impersonating trusted entities such as banks or credit card companies through emails or phone calls, where victims are misled into providing their confidential data under false pretenses. The term "phishing" is derived from a play on "fishing," as it metaphorically involves casting a wide net to catch victims.
Phishing has evolved significantly since its inception in the early days of the internet, initially targeting users on platforms like America Online (AOL) before shifting to more sophisticated tactics involving fake websites and social media impersonations. Common indicators of phishing attempts include poorly worded messages, threats of account termination, and unfamiliar web links. The rise of phishing has prompted heightened security measures by financial institutions and tech companies, including user education and advanced spam filters.
Additionally, the phenomenon of "vishing" (voice phishing) has emerged, where phishers use phone calls to extract personal information. The impact of phishing is substantial, leading to significant financial losses for both individuals and businesses, and prompting ongoing efforts to combat this pervasive threat through public awareness campaigns and regulatory actions.
Phishing
Phishing is used by identity thieves to acquire the confidential personal and financial information of victims. The term is a variation of “fishing” and refers to identity thieves fishing for victims. Identity thieves, also referred to as “phishers,” pose as representatives from banks, credit card companies, or other financial institutions and e-mail or call victims requesting their personal information. Phishers offer several fraudulent reasons for why the victim must enter their personal information.
Phishing first became popular during the early days of America Online (AOL), one of the first widely used Internet service providers (ISPs). Phishers would pretend to be AOL employees and send users instant messages requesting their passwords for confirmation purposes. Once they procured users’ passwords, phishers could use them to access their accounts for spamming or other nefarious purposes. AOL eventually put policies into place to delete the accounts of anyone involved with phishing and to quickly detect any instant messages that contained phishing-related words.
After AOL’s security increased, phishers started to pretend to be financial institutions such as banks and credit card companies. The first known phishing attempt in which the perpetrator pretended to be a financial institution was in June 2001. A phisher posed as e-gold, a website that allowed users to instantly transfer gold currency. Although this attempt was unsuccessful, it was used by phishers as a test to develop more successful methods.
Following the terrorist attacks of September 11, 2001, phishers began sending out fraudulent identification check e-mails. Recipients were asked to enter their personal information to confirm their identities for reasons of national security. These attempts were also seen as failures but were used to test new methods of phishing.
Online Phishing
After unsuccessful attempts in the early part of the 2000s, phishers started implementing more sophisticated methods to acquire victims’ personal information. By 2004, phishing was seen as a serious and lucrative criminal activity. It led to heightened online security, increased awareness, and several lawsuits and government actions.
Many phishers pose as social media websites such as Facebook. They send users e-mails claiming that they noticed a security issue on the account and that, as a result, users must fill out legal forms, such as terms of use or copyright law forms. These phishers typically state that if users do not comply and fill out the form, their account will be suspended or terminated. A link is usually included in the e-mail that is disguised with a legitimate address, such as Facebook’s web address; in reality, the link will download an executable file if clicked. This kind of trickery is how phishers get victims to download malicious software that exposes personal information and passwords.
Oftentimes phishers include company logos in their e-mails to make them look legitimate. There are several ways to tell whether an e-mail is a phishing scam or not. Common indicators of scam e-mails include misspelled words and threats of account deletion.
In 2006, phishers began using e-mails to pose as the US Internal Revenue Service (IRS). In response, the IRS issued several consumer warnings about the use of the IRS logo for phishing and identity-theft purposes. Several of these IRS-related e-mail phishing scams claimed that the individual was owed a tax refund. The individual was then asked to enter personal information in order to receive the money owed them. The IRS established several ways for consumers to report suspicious e-mails that might be phishing scams.
Some phishers set up fraudulent or replica websites to pose as financial institutions. Once one of these fake websites is visited, users can unknowingly receive malicious software. Even on legitimate websites, phishers can alter the sites’ scripts and security aspects to fool users. This is a particularly successful phishing method, because the fraudulent websites are nearly undetectable to average online users.
In 2006, this type of phishing was done on the website PayPal, which allows users to easily transfer money to merchants or other individuals online. Phishers used the PayPal website to trick users into going to a uniform resource locator (URL) hosted on the legitimate PayPal website. Phishers created a warning message that appeared when users visited the website that said the user’s account was disabled because it may have been accessed unlawfully by a third party. Users were then redirected to a fraudulent PayPal login page that looked extremely similar to the actual login page.
This technique has also frequently been used on the websites of banks. When users visit the sites, a pop-up window appears, requesting their personal login information for security purposes. Financial institutions responded by increasing online security measures through the use of security questions and images. For example, in 2008, Bank of America implemented a SiteKey system on its website, in which users choose an image that appears every time they login. If the image does not appear during the login process, the user has been led to a fraudulent site. Other companies hit with phishing attacks during the 2000s included Best Buy, the United Parcel Service (UPS), and First Union Bank.
File-sharing websites and services such as RapidShare have also been used by phishers to harvest information or leave computers vulnerable to later attack. Phishers would use fake websites or alter legitimate ones to sell users RapidShare upgrades that did not exist. Sometimes phishers would send out e-mail newsletters posing as file-sharing websites or would post in forums, encouraging users to pay for fake upgrades. Both of these phishing methods were used to steal victims’ credit card information.
A majority of online phishing in the 2000s was traced to the Russian Business Network (RBN). RBN is a cybercrime organization based in Russia that performs identity theft on a large scale. It undertook some of the largest and most successful phishing scams of the decade, oftentimes selling personal information to criminals for use in identity theft. RBN developed malicious software such as the MPack, which is a kit that was sold to hackers to infect hundreds of thousands of personal computers.
Among the most notable phishing attacks in the 2010s were a 2013 attack on the big-box retailer Target, in which over 100 million customer credit card numbers were stolen, and a similar-sized 2014 attack on the home-improvement chain Home Depot. Phishing attacks on individuals were also on the rise. CNBC reported in 2023 that the number of person attacks had risen by 61 percent from 2022 to 2023.
Phone Phishing
Phishers also use phones to acquire personal financial information. This method became known as “vishing” (voice phishing). Sometimes they e-mail messages posing as financial institutions or Internet providers. At other times, phishers may steal a list of phone numbers from financial institutions and call the victims themselves. Once victims are on the phone, they may be asked to enter their debit card pin number, Social Security number, or other personal information. The phone numbers victims call are owned by the phishers, who typically use voice over Internet protocol (VoIP) to disguise the location of their numbers, making the phishers difficult to locate. A VoIP number allows phishers to make and receive phone calls using their computer and Internet connection.
Phishers can even use VoIPs to disguise the caller identification on the victims’ end. They can call a victim and have the caller identification information correspond to that of a trusted bank or other entity. This makes vishing hard to monitor.
Other phishers use phones to pose as technical support departments from Internet providers or software companies such as Microsoft. Phishers use this method to install malware to gain access to sensitive information. Frequently, once the malicious software has been installed, phishers charge victims to remove it from their computer. Phishers also use this method to adjust the settings on victims’ computers to leave them vulnerable to further unlawful access.
In response, financial institutions, Internet providers, and software companies have released several warnings stating that they will never call and request information or make charges via the phone. They have stated that if anyone calls claiming to be from their institution, that individuals should hang up and report the number.
Combating Phishing
The rise of phishing and the massive financial losses it has caused has led to several antiphishing responses on public and private levels. The most basic method of combating phishing has been to educate the public on how to recognize these scams. The IRS has released several consumer warnings throughout the decade, and software companies, including Microsoft, have published materials online to inform the public about phishing. Along with online consumer warnings, the IRS has released informational videos and podcasts and provided consumers with e-mails and telephone numbers they can contact if they suspected they have been the target of phishing attempts.
Because of phishing, several websites, financial institutions, and other entities have changed the way they handle e-mails and information online. For example, PayPal began to include users’ login names in e-mails to let them know they were not being phished. Typically, PayPal phishing e-mails would address users with generic greetings, such as “Dear PayPal user.” In a similar fashion, banks have started to include partial account numbers in e-mails.
Many popular Internet browsers have implemented measures for what is known as “secure browsing.” Several Internet browsers now also include antiphishing technology as part of their browsers and services. If a user attempts to visit a website that is not recognized as secure by Firefox, for example, a warning box will appear or Firefox will simply block the website.
E-mail servers such as Gmail have increased their e-mail spam filters to help combat phishing. Many of these filters utilize language processing to recognize and block e-mails that include common phishing words and sentences.
The US Federal Trade Commission (FTC) has set up services to help reduce telephone phishing scams. Their services encourage users to report suspicious phone calls and phone numbers. The FTC then passes this information on to appropriate law-enforcement officials. Individuals can also register their phone number on the National Do Not Call Registry, which limits the number of telemarketers and potential phishers that can call the number.
Federal Responses
In 2004, the FTC filed a lawsuit against a seventeen-year-old in California who was suspected of perpetrating phishing scams to acquire credit card information. This was the first law-enforcement action brought against a phisher. In 2006, the Federal Bureau of Investigation (FBI) enacted an operation code-named Cardkeeper that led to the arrest of seventeen people involved with international phishing scams in the United States, Poland, and Romania. This group allegedly stole identities, credit card information, and bank information. Four suspects from the group were arrested in the United States and were in possession of machines used to encode cards with victims’ bank information.
On December 16, 2003, US president George W. Bush signed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act). This act established national standards for the distribution of commercial e-mail. The FTC was given authority to enforce the provisions put forth by the act. It was created to reduce the amount of unwarranted and unwanted e-mails, including phishing-related messages. Although many critics saw it as a failure, the first individual convicted under its provisions was sentenced in 2007. This individual, Jeffrey Brett Goodin, sent thousands of e-mails posing as the AOL billing department and requesting users’ personal information. He was sentenced to serve seventy months in prison.
Impact
Phishing has raised many concerns about the security of valuable personal information that is frequently used online by banks and other entities. During the 2000s and 2010s, various phishing methods managed to successfully rob victims of millions of dollars. Businesses affected by phishing also lost millions of dollars. Phishing was the most successful cybercrime method of the 2020s and changed the way information is distributed online. Its rise has also led to an increase in awareness and heightened security on several fronts.
Bibliography
Bungo, Larissa. "Think You Know What the Top Scam of 2023 Was? Take a Guess." Federal Trade Commission, 9 Feb. 2024, consumer.ftc.gov/consumer-alerts/2024/02/think-you-know-what-top-scam-2023-was-take-guess. Accessed 22 May 2024.
Hong, Jason. "The State of Phishing Attacks." Communications of the ACM, vol. 55, no. 1, 2012, pp. 74–81. Academic Search Complete, search.ebscohost.com/login.aspx?direct=true&db=a9h&AN=71678156. Accessed 23 Nov. 2016.
Jakobsson, Markus, and Steven Myers, editors. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. John Wiley & Sons, 2007.
James, Lance. Phishing Exposed. Syngress Publishing, 2005.
Lininger, Rachael, and Russell Dean Vines. Phishing: Cutting the Identity Theft Line. Hoboken: Wiley, 2005. Print.
Vlolino, Bob. "Phishing Attacks Are Increasing and Getting More Sophisticated. Here’s How to Aoid Them." CNBC, 7 Jan. 2023, www.cnbc.com/2023/01/07/phishing-attacks-are-increasing-and-getting-more-sophisticated.html. Accessed 22 May 2024.