Phishing

Phising pronounced like ‘fishing’ aka: spear phishing, clone phishing, whaling. Phishing, like it sounds, is an attempt at laying down a line or trap, in order to ‘catch’ the desired prey. The first documented use of the term “phishing” was in 1995. In this version, the prey is data or information that the phisher then collects to sell or uses the data collected directly, in some nefarious and/or criminal manner.

The most common ‘bait’ used in a phishing scam is an email that appears identical to a financial institutions email letter head or website branding that informs them of some breach of security in which they are required to verify their identify using account numbers, social security number, current address, etc. The senders of these phishing emails hope that the recipient of their email will bite on the bait and comply with the fake urgent request. All the information that is used in most secure banking records to verify and transmit transactions is requested on the website that the phishing email provides- from secure passwords to social security numbers, address, maiden name (if applicable), etc.  In the past few years, these phishing emails have expanded the list of services they use to send the fake email- auction sites to well-known online retailers have been used to reel in the unsuspecting recipient of phishing email scams.

Early on, during the onset of widespread use of the internet facilitated by the AOL network, phishing was strongly associated with the Warez community that was dealing in pirated software and paid-for AOL accounts with algorithmically-generated credit card numbers. Once AOL, shut this practice down, the pirates upped their game and began posing as an AOL staff member, who would send an instant message to a potential victim, requesting their password in order to verify or confirm their billing information. Of course once the phisher had the account information they could expand their scam with impunity. Eventually, AOL purged its online systems of malicious software and cracked down on all phishing activity and with it the spammer gangs, who moved on to other scams and networks.

It is highly likely that AOL’s actions, in the grand scheme of things, was the impetus for the first online criminals to move from Internet providers to the banking system’s greener pastures. The first known direct attempt was a payment system, E-Gold in 2001, and was followed up by several post-9/11 identification checks. Although both of these were marginally successful they also led to more fruitful and now recognized as the onset of the global network of online crime. The most recent and infamous of have been against the U.S. Internal Revenue Service, social networking sites, and file sharing sites like RapidShare. Many of the most successful attacks were perpetrated by the Russian Business Network group, operating out of St. Petersburg, Russia.

There are now many types of phishing techniques that quite efficiently gather millions of Internet user’s vital information to include a widely shared tool called “Super Phisher’ that automates the creation of phishing websites. Regardless of the method used for phishing, these cause millions of dollars of damages to both corporate and private users. Combating these however, has to fall to a great degree on the individual users based on common sense. More often than not, users are now more aware and the old and more conventional phishing techniques are largely obsolete. The best advice is if a user has any questions at all about the legitimacy of an email message to contact the perceived sender by other means before clicking a link or providing any personal information.