Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.
Phishing prevention has become essential as more criminals turn towards online scams to steal your personal information. We’ve learned to dodge spam emails, but phishing emails can look deceivingly credible. Some are even personalized specifically for you. Since you will likely be exposed to a phishing attack eventually, you’ll need to know the red flags. Because scams are nothing new on the web, but phishing is harder to spot than you might think.
Across the web, phishing attacks have baited unsuspecting victims into handing over bank info, social security numbers, and more. Plus, cybercriminals have become even savvier with their disguises. Sometimes these scams hide behind voices you know and trust, like your coworkers, your bank, or even your government. If you so much as click a link, you could be the scammer’s next victim.
As we dive into how to prevent phishing, we’ll answer some important questions:
- What is phishing?
- Am I at risk of being a phishing target?
- What types of phishing scams exist?
- How do I spot a phishing scam?
- What is phishing email?
- What do I do once I’ve identified a phishing email?
- What should I do to avoid being a victim of phishing?
What is Phishing?
Phishing persuades you to take any action that gives a scammer access to your device, accounts, or personal information. By pretending to be a person or organization you trust, they can more easily infect you with malware or steal your credit card information.
In other words, these social engineering schemes “bait” you with trust to get your valuable information. This could be anything from a social media log in, to your entire identity via your social security number.
These schemes may urge you to open an attachment, follow a link, fill out a form, or reply with personal info. By that logic, you must be on guard at all times which can be exhausting.
The most common scenario is as follows:
- You open your email and suddenly an alert from your bank appears in your inbox. When you click the link in the email, you are taken to a webpage that looks, more or less, like your bank.
- Here’s the catch: this site is actually designed to steal your information. The alert will say there is a problem with your account and ask you to confirm your login and password.
- After entering your credentials on the page that appears, you are usually sent to the actual institution to enter your information a second time. By steering you to the legitimate institution, you don’t immediately realize your information was stolen.
These threats can get very elaborate and show up in all types of communication, even phone calls. The danger of phishing is that it can deceive anyone that isn’t skeptical of smaller details.
To help you guard yourself without becoming paranoid, let’s unpack how phishing attacks work.
How does Phishing work?
Anyone who uses the internet or phones can be a target for phishing scammers.
Phishing scams normally try to:
- Infect your device with malware
- Steal your private credentials to get your money or identity
- Obtain control of your online accounts
- Convince you to willingly send money or valuables
Sometimes these threats don’t stop with just you. If a hacker gets into your email, contact list, or social media, they can spam people you know with phishing messages seemingly from you.
Trust and urgency are what make phishing so deceiving and dangerous. If the criminal can convince you to trust them and to take action before thinking — you’re an easy target.
Who is at risk of Phishing attacks?
Phishing can affect anyone of any age, whether in their personal life or in the workplace.
Everyone from the elderly to young children are using internet devices nowadays. If a scammer can find your contact information publicly, they can add it to their phishing target list.
Your phone number, email address, online messaging IDs, and social media accounts are harder to hide nowadays. So, there’s a good chance that just having one of these makes you a target. Plus, phishing attacks can be broad or highly targeted in the people they choose to trick.
Spam Phishing
Spam phishing is a broad net being thrown to catch any unsuspecting person. Most phishing attacks fall into this category.
To explain, spam is the electronic equivalent of the ‘junk mail’ that arrives on your doormat or in your postbox. However, spam is more than just annoying. It can be dangerous, especially if it’s part of a phishing scam.
Phishing spam messages are sent out in mass quantities by spammers and cybercriminals that are looking to do one or more of the following:
- Make money from the small percentage of recipients that respond to the message.
- Run phishing scams – in order to obtain passwords, credit card numbers, bank account details, and more.
- Spread malicious code onto recipients’ computers.
Spam phishing is one of the more popular means that scammers get your info. However, some attacks are more targeted than others.
Targeted Phishing
Targeted phishing attacks usually refer to spear-phishing or in the most common variant, whaling.
Whaling takes on high-level targets, while spear phishing widens the net. Targets usually are employees of specific companies or government organizations. However, these scams can easily be aimed at anyone seen as particularly valuable or vulnerable.
You might be targeted as a customer of a targeted bank or an employee of a healthcare facility. Even if you’re just responding to a strange social media friend request, you might be phished.
Phishers are much more patient with these schemes. These personalized scams take time to craft, either potentially for a reward or to increase the chances of success.
Building these attacks may involve gathering details about you or an organization you happen to be involved with.
Phishers might take this information from:
- Social media profiles
- Existing data breaches
- Other publicly discoverable info
Moving in for an actual attack might be swift with an immediate attempt to encourage you to take an action. Others might build a connection with you for months to earn your trust before the big “ask.”
These attacks aren’t limited to direct messages or calls — legitimate websites might be hacked directly for a phisher’s benefit. If you’re not careful, you might be phished just by logging in to a site that is normally perfectly safe.
Unfortunately, it seems many people are convenient targets for these criminals. Phishing has become a new “normal” as these attacks have ramped up in frequency.
What types of Phishing Scams should I know about?
The first hurdle is understanding what to expect from phishing. It can be delivered in all kinds of means, including phone calls, texts, and even in hijacked URLs on perfectly legitimate websites.
Phishing is much easier to understand once you’ve seen it in action. You’ve probably already seen a few of these scams and just chucked them aside as spam.
Regardless of how they are targeted, phishing attacks take many roads to get to you and most people are likely to experience at least one of these forms of phishing:
- Phishing email appears in your email inbox — usually with a request to follow a link, send a payment, reply with private info, or open an attachment. The sender’s email might be tailored to closely resemble a valid one and may contain info that feels personal to you.
- Domain spoofing is a popular way an email phisher might mimic valid email addresses. These scams take a real company’s domain (ex: @america.com) and modify it. You might engage with an address like “arneria.com” and fall victim to the scheme.
- Voice phishing (vishing) scammers call you and impersonate a valid person or company to deceive you. They might redirect you from an automated message and mask their phone number. Fishers will try to keep you on the phone and urge you to take action.
- SMS phishing (smishing) similarly to vishing, this scheme will imitate a valid organization, using urgency in a short text message to fool you. In the message, you’ll usually find a link or a phone number they want you to use. Mobile messaging services are also at risk of this.
- Social media phishing involves criminals using posts or direct messages to persuade you into a trap. Some are blatant like free giveaways or sketchy “official” organization pages with an urgent request. Others might impersonate your friends or build a relationship with you long-term before ‘attacking’ to seal the deal.
- Clone phishing duplicates a real message that was sent previously, with legitimate attachments and links replaced with malicious ones. This appears in email but may also show up in other means like fake social media accounts and text messages.
In other cases, legitimate websites might be manipulated or imitated via:
- Watering hole phishing targets popular sites that many people visit. An attack like this might try to exploit weaknesses in a site for any number of other phishing attacks. Delivering malware, link redirection, and other means are common in these schemes.
- Pharming (DNS cache poisoning) uses malware or an onsite vulnerability to reroute traffic from safe websites to phishing sites. Manually typing a URL will still lead visitors to the malicious site if it is a victim of pharming.
- Typosquatting (URL hijacking) tries to catch people who type an incorrect website URL. For example, a website might be created that is one letter off from a valid one. Typing “Wallmart” instead of “Walmart” could potentially lead you to a malicious site.
- Clickjacking uses a website’s vulnerabilities to insert hidden capture boxes. These will grab user login credentials and anything else you might enter on the otherwise safe site.
- Tabnabbing happens when an unattended fraudulent page reloads into an imitation of a valid site login. When you return to it, you might believe it to be real and unknowingly hand over access to your account.
- HTTPS phishing gives a malicious website the illusion of security with the classic “padlock next to the URL bar” indicator. While this encryption sign used to be exclusive to sites that were verified as safe, now any site can get this. So, your connection and info you send may be blocked to outsiders, but you’re already connected to a criminal.
- Evil twin attacks mimic official public Wi-Fi at locations like coffee shops and airports. This is done in an effort to get you to connect and eavesdrop on all your online activities.
- Search engine results in phishing use methods to get a fraudulent webpage to appear in search results before a legitimate one. It is also known as SEO phishing or SEM phishing. If you don’t look carefully, you may click the malicious page instead of the real one.
- Angler phishing impersonates a customer service representative for a real company to trick you out of information. On social media, a fake help account spots your “mentions” to the company’s social handle to respond with a fake support message.
- BEC (business email compromise) involves various means of breaching a company’s communications circle to get high-value info. This can include CEO impersonation or pretending a vendor with a fake invoice to initiate activities like wire transfers.
- Cryptocurrency phishing targets those with cryptocurrency wallets. Instead of using long-term means to mine cryptocurrency themselves, these criminals try to steal from those that already have these funds.
The truth is the list of types of phishing attacks is extensive and constantly expanding. These are some of the most common currently, but you might see new ones even in a few months.
Since these scams rapidly change to fit current events, they’ve been hard to spot. But there are ways you can keep yourself safer and being aware of the latest scams is an easy way to start.
Some examples of common phishing scams
Whilst it would be impractical and impossible to list every known phishing scam here, there are some more common ones you should definitely look out for:
Iran Cyberattack phishing scams use an illegitimate Microsoft email, prompting a login to restore your data in attempts to steal your Microsoft credentials. Scammers use your fear of being locked out of Windows and the relevance of a current news story to make it believable.
Office 365 deletion alerts are yet another Microsoft-related scam used to get your credentials. This email scam claims that a high volume of files has been deleted from your account. They give a link for you to log in, of course resulting in your account being compromised.
Notice from the bank. This scam tricks you with a fake account notification. These emails normally give you a convenient link that leads to a web form, asking for your bank details “for verification purposes.” Do not give them your details. Instead, give your bank a call as they may want to take action on the malicious email.
Email from a ‘friend’. This scam takes the form of a known friend who is in a foreign country and needs your help. This ‘help’ normally involves sending money to them. So, before you send your ‘friend’ money, give them a call first to verify whether it’s true or not.
Contest winner/Inheritance email. If you’ve won something unexpectedly or received an inheritance from a relative you’ve never heard of — don’t get too excited. Because most of the time these emails are scams that require you to click on a link to enter your info for prize shipment or inheritance ‘verification’.
The tax refund/rebate. This is a popular phishing scam as many people have annual taxes which they pay or have to submit payment to. These phishing messages normally say that you are either eligible to receive a tax refund, or you have been selected to be audited. It then requests that you submit a tax refund request or tax form (asking for your full details), which scammers then use to either steal your money and/or sell your data.
Coronavirus Phishing Scams and malware threats
Coronavirus/COVID-19 phishing scams are the latest to weaponize fear for cyber theft. One of the most notable is the Ginp banking trojan which infects your device and opens a web page with a “coronavirus finder” offer. It baits people into paying to learn who is infected nearby. This scam ends with criminals taking off your credit card info.
There have also been cases of scammers pretending to be important government bodies and even the World Health Organization (WHO). This scam involves scammers contacting users directly, usually by email. Requesting bank details or asking you to click on a link — in an attempt to infect your computer with malware and steal your private data.
These emails and messages may look official, but if you investigate the link URL (by hovering over the link, again, do not click it) or the email address carefully, there are usually tell-tale signs that they are not authentic and should not be trusted (such as WHO or government emails coming from a Gmail account, etc.).
Do not fall for these scams. These organizations will never ask you for sensitive personal details or private banking details. And, the chances of them asking you to download an app or software onto your computer is also incredibly low. So, if you receive an email or message like this, especially out of the blue, do not click on the links and do not give them your personal information or bank details. Check with the applicable authorities or your bank if you’re unsure, and only use/visit trusted websites and sources.
If you receive one of these emails, this is what you should do:
- Verify the sender by checking their email address — WHO sender addresses use the person@who.int pattern. NOT Gmail, etc.
- Check the link, before you click — make sure the links start with https:// and not http://
- Be careful when providing personal information — never provide your credentials to third parties, not even the WHO.
- Do not rush or panic reacts — scammers use this in order to pressure you into clicking links or opening attachments.
- If you gave sensitive information, don’t panic — reset your credentials on sites you’ve used them. Change your passwords and contact your bank immediately.
- Report all scams — Go to https://www.who.int/about/report_scam/en/
Primarily, phishing emails are laced with similar traits that a trained eye should be able to catch. However, these aren’t always easy to spot at first glance, so let’s unravel these red flags.
Phishing Emails: How to recognize and avoid a Phishing Email
Spotting a phishing email comes down to pointing out anything inconsistent or unusual.
Sometimes it’s difficult to recognize what’s genuine and what’s a phishing attempt. First, you’ll want to be sure that you slow down before opening any links, attachments, or send a reply.
Here’s an example of how you should react if you receive a suspect email:
You receive an email politely requesting a donation for victims of the most recent hurricane to make landfall. The sender’s domain reads “help@ushurricanesurvivors.net” and though the organization could be legitimate, you haven’t heard of it.
Usually, your spam folder shields you from these kinds of emails, but for some reason, this one is sitting at the top of your inbox.
You are computer savvy, and you’re not taking chances with any email from an organization that’s asking for personal and financial information. This is especially true when you didn’t request it and can’t verify its identity.
By taking a pause, instead of taking immediate action, you’ve taken an important step to protect yourself. However, you’ve still got to determine if this is legitimate or a scam.
Now you need to know exactly what to look for in a phishing email to make a decision.
What does a Phishing Email look like?
One of the reasons phishing emails are so sinister — and unfortunately often successful — is that they’re crafted to look legitimate. Generally, the following features are common among phishing emails and should raise red flags:
- Attachments or links
- Spelling errors
- Poor grammar
- Unprofessional graphics
- Unnecessary urgency about verifying your email address or other personal information immediately
- Generic greetings like “Dear Customer” instead of your name.
Hackers often rush to get phishing sites up, so some of them will look significantly different from the original company. You can use these traits to pick a malicious email out of your inbox.
Still, it’s not always clear what steps to take when you receive a phishing email that has skirted around your spam folder.
Tips for handling known Phishing Emails
Being vigilant about spotting phishing emails is key. If you’ve come across one in your inbox (that hasn’t been auto filtered into spam), use these strategies to avoid becoming a victim of a phishing attack.
- Delete the email without opening it. Most viruses activate when you open an attachment or click a link within an email. But some email clients allow scripting, which makes it possible to get a virus simply by opening a suspicious-looking email. Making it best to avoid opening them all together.
- Manually block the sender. If your email client allows you to manually create a block, you should do so. Make a note of the sender’s email domain, and then add the sender to a blocked list. This is especially smart and helpful if you share the email box with anyone in your family. Someone else might stumble upon a legitimate-looking email that isn’t part of your spam folder and do something they shouldn’t.
- Purchase an extra line of security. You can never be too safe. Consider purchasing antivirus software, to help monitor your email box.
Just remember, the best way to handle a phishing email is to block or delete it immediately. Whether you take any additional actions to limit your exposure to these attacks is a bonus.
Beyond spotting the email and removing it, you can guard yourself with a few extra few tips.
Phishing prevention tips
Whether we like it or expect it, you will be the target of these phishing emails every day.
Most of these are filtered out automatically by our email providers, and for the most part, users have gotten relatively good at identifying these types of emails and using common sense to not comply with their requests.
But you’ve already seen how deceptive phishing can be. You also know phishing attacks extend into all types of communication and internet browsing — not just emails.
By following a few simple phishing prevention tips, you can greatly reduce your chances of falling victim to a scammer.
Steps to protect yourself from Phishing
Internet protection starts with your mindset and behavior toward potential cyberthreats.
Phishing tricks victims into giving over credentials for all sorts of sensitive accounts, such as email, corporate intranets and more.
Even for cautious users, it’s sometimes difficult to detect a phishing attack. These attacks become more sophisticated over time, and hackers find ways to tailor their scams and give very convincing messages, which can easily trip people up.
Here are a few basic measures to always take with your emails and other communications:
- Employ common sense before handing over sensitive information. When you get an alert from your bank or other major institution, never click the link in the email. Instead, open your browser window and type the address directly into the URL field so you can make sure the site is real.
- Never trust alarming messages. Most reputable companies will not request personally identifiable information or account details, via email. This includes your bank, insurance company, and any company you do business with. If you ever receive an email asking for any type of account information, immediately delete it and then call the company to confirm that your account is OK.
- Do not open attachments in these suspicious or strange emails — especially Word, Excel, PowerPoint or PDF attachments.
- Avoid clicking embedded links in emails at all times, because these can be seeded with malware. Be cautious when receiving messages from vendors or third parties; never click on embedded URLs in the original message. Instead, visit the site directly by typing in the correct URL address to verify the request, and review the vendor’s contact policies and procedures for requesting information.
- Keep your software and operating system up to date. Windows OS products are often targets of phishing and other malicious attacks, so be sure you’re secure and up to date. Especially for those still running anything older than Windows 10.
Reducing your spam to avoid Phishing
Here are some more useful tips – from Kaspersky’s team of Internet security experts – to help you reduce the amount of spam email you receive:
Set up a private email address. This should only be used for personal correspondence. Because spammers build lists of possible email addresses – by using combinations of obvious names, words and numbers – you should try to make this address difficult for a spammer to guess. Your private address should not simply be your first and last name – and you should protect the address by doing the following:
- Never publish your private email address on publicly accessible online resources.
- If you must publish your private address electronically, try to mask it – in order to avoid having the address picked up by spammers. For example, ‘Joe.Smith@yahoo.com’ is an easy address for spammers to find. Try writing it as ‘Joe-dot-Smith-at-yahoo.com’ instead.
- If your private address is discovered by spammers – you should change it. Although this may be inconvenient, changing your email address will help you to avoid spam and scammers.
Set up a public email address. Use this address when you need to register on public forums and in chat rooms, or to subscribe to mailing lists and other Internet services. The following tips will also help you to reduce the volume of spam you receive via your public email address:
- Treat your public address as a temporary address. The chances are high that spammers will rapidly get hold of your public address, especially if it is frequently being used on the Internet.
- Don’t be afraid to change your public email address often.
- Consider using a number of public addresses. That way you’ll have a better chance of tracing which services may be selling your address to spammers.
Never respond to any spam. Most spammers verify receipt and log responses. The more you respond, the more spam you’re likely to receive.
Think before you click ‘unsubscribe.’ Spammers send fake unsubscribe letters, in an attempt to collect active email addresses. If you click ‘unsubscribe’ in one of these letters, it may simply increase the amount of spam you receive. Do not click on ‘unsubscribe’ links in emails that come from unknown sources.
Keep your browser updated. Make sure that you use the latest version of your web browser and that all the latest Internet security patches have been applied.
Use anti-spam filters. Only open email accounts with providers that include spam filtering.
Phishing vs the importance of Internet security software
One of the simplest ways to protect yourself from becoming a victim of a phishing scheme is to install and use proper Internet security software on your computer. Internet security software is vital for any user because it provides multiple layers of protection in one simple-to-manage suite.
For the most reliable protection, your security plan should include the following:
Anti-spam software is designed to protect your email account from phishing and junk emails. Aside from working with pre-defined denylists created by security researchers, anti-spam software has intelligence capabilities to learn, over time, which items are junk and which are not. So while you still should be vigilant, you’ll get some comfort from knowing that the software is also filtering out potential trouble. Use anti-phishing protection and anti-spam software to protect yourself when malicious messages slip through to your computer.
Anti-malware is included to prevent other types of threats. Similar to anti-spam software, anti-malware software is programmed by security researchers to spot even the stealthiest malware. With ongoing updates from vendors, the software continues to become more intelligent and better able to deal with the latest threats. By using an anti-malware package, you can protect yourself from viruses, Trojans, worms, and more.
By combining a firewall, anti-spam, and anti-malware into one package, you can provide extra backups that keep your system from being compromised, if you do accidentally click on a dangerous link. They are a vital tool to have installed on all your computers as they are designed to complement common sense.
While technology is a rapidly evolving field, by using a security package from a reputable security vendor, you can secure your devices from phishing and other malware threats.
Password management made easy
In addition to having virus protection software on your computer, it is crucial to use a password manager to manage your online credentials.
Today, it is vital to have different passwords for all websites. If a data breach ever occurs, malicious attackers will try using the discovered credentials across the web.
One of the best features of password managers is that they usually automatically fill in login forms to minimize clicking around. Additionally, many password managers include portable editions that can be saved to a USB drive, ensuring that you can take your passwords wherever you go.
While phishing can be a difficult area to tackle at times, by following the simple tips and advice outlined in this article (and embracing proper phishing prevention tools) — you can greatly minimize your risk of falling victim to digital scammers.
History
The 1980s
A phishing technique was described in detail in a paper and presentation delivered to the 1987 International HP Users Group, Interex.[50]
The 1990s
The term “phishing” is said to have been coined by the well-known spammer and hacker in the mid-90s, Khan C. Smith.[51] The first recorded mention of the term is found in the hacking tool AOHell (according to its creator), which included a function for attempting to steal the passwords or financial details of America Online users.[52][53]
Early AOL phishing[edit]
Phishing on AOL was closely associated with the warez community that exchanged unlicensed software and the black hat hacking scene that perpetrated credit card fraud and other online crimes. AOL enforcement would detect words used in AOL chat rooms to suspend the accounts of individuals involved in counterfeiting software and trading stolen accounts. The term was used because “<><” is the single most common tag of HTML that was found in all chat transcripts naturally, and as such could not be detected or filtered by AOL staff. The symbol <>< was replaced for any wording that referred to stolen credit cards, accounts, or illegal activity. Since the symbol looked like a fish, and due to the popularity of phreaking it was adapted as “Phishing”. AOHell, released in early 1995, was a program designed to hack AOL users by allowing the attacker to pose as an AOL staff member, and send an instant message to a potential victim, asking him to reveal his password.[54] In order to lure the victim into giving up sensitive information, the message might include imperatives such as “verify your account” or “confirm billing information”.
Once the victim had revealed the password, the attacker could access and use the victim’s account for fraudulent purposes. Both phishing and warezing on AOL generally required custom-written programs, such as AOHell. Phishing became so prevalent on AOL that they added a line on all instant messages stating: “no one working at AOL will ask for your password or billing information”. A user using both an AIM account and an AOL account from an ISP simultaneously could phish AOL members with relative impunity as internet AIM accounts could be used by non-AOL internet members and could not be actioned (i.e., reported to AOL TOS department for disciplinary action).[55]. In late 1995, AOL crackers resorted to phishing for legitimate accounts after AOL brought in measures in late 1995 to prevent using fake, algorithmically generated credit card numbers to open accounts.[56] Eventually, AOL’s policy enforcement forced copyright infringement off AOL servers, and AOL promptly deactivates accounts involved in phishing, often before the victims could respond. The shutting down of the warez scene on AOL caused most phishers to leave the service.[57]
2000s
- 2001
- The first known direct attempt against a payment system affected E-gold in June 2001, which was followed up by a “post-9/11 id check” shortly after the September 11 attacks on the World Trade Center.[58]
- 2003
- The first known phishing attack against a retail bank was reported by The Banker in September 2003.[59]
- 2004
- It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US$929 million. United States businesses lose an estimated US$2 billion per year as their clients become victims.[60]
- Phishing is recognized as a fully organized part of the black market. Specializations emerged on a global scale that provided phishing software for payment (thereby outsourcing risk), which were assembled and implemented into phishing campaigns by organized gangs.[61][62]
- 2005
- In the United Kingdom losses from web banking fraud—mostly from phishing—almost doubled to GB£23.2m in 2005, from GB£12.2m in 2004,[63] while 1 in 20 computer users claimed to have lost out to phishing in 2005.[64]
- 2006
- Almost half of phishing thefts in 2006 were committed by groups operating through the Russian Business Network based in St. Petersburg.[65]
- Banks dispute with customers over phishing losses. The stance adopted by the UK banking body APACS is that “customers must also take sensible precautions … so that they are not vulnerable to the criminal.”[66] Similarly, when the first spate of phishing attacks hit the Irish Republic’s banking sector in September 2006, the Bank of Ireland initially refused to cover losses suffered by its customers,[67] although losses to the tune of €113,000 were made good.[68]
- Phishers are targeting the customers of banks and online payment services. Emails, supposedly from the Internal Revenue Service, have been used to glean sensitive data from U.S. taxpayers.[69] While the first such examples were sent indiscriminately in the expectation that some would be received by customers of a given bank or service, recent research has shown that phishers may in principle be able to determine which banks potential victims use, and target bogus emails accordingly.[70]
- Social networking sites are a prime target of phishing, since the personal details in such sites can be used in identity theft;[71] in late 2006 a computer worm took over pages on MySpace and altered links to direct surfers to websites designed to steal login details.[72]
- 2007
- 3.6 million adults lost US$3.2 billion in the 12 months ending in August 2007.[73] Microsoft claims these estimates are grossly exaggerated and puts the annual phishing loss in the US at US$60 million.[74]
- Attackers who broke into TD Ameritrade‘s database and took 6.3 million email addresses (though they were not able to obtain social security numbers, account numbers, names, addresses, dates of birth, phone numbers and trading activity) also wanted the account usernames and passwords, so they launched a follow-up spear phishing attack.[75]
- 2008
- The RapidShare file sharing site has been targeted by phishing to obtain a premium account, which removes speed caps on downloads, auto-removal of uploads, waits on downloads, and cool down times between uploads.[76]
- Cryptocurrencies such as Bitcoin facilitate the sale of malicious software, making transactions secure and anonymous.[citation needed]
- 2009
- In January 2009, a phishing attack resulted in unauthorized wire transfers of US$1.9 million through Experi-Metal’s online banking accounts.
- In the third quarter of 2009, the Anti-Phishing Working Group reported receiving 115,370 phishing email reports from consumers with US and China hosting more than 25% of the phishing pages each.[77]
2010s
- 2011
- In March 2011, Internal RSA staff were successfully phished,[79] leading to the master keys for all RSA SecureID security tokens being stolen, then subsequently used to break into US defense suppliers.[80]
- Chinese phishing campaigns targeted Gmail accounts of highly ranked officials of the United States and South Korean governments and militaries, as well as Chinese political activists.[81][82]
- 2012
- According to Ghosh, there were “445,004 attacks in 2012 as compared to 258,461 in 2011 and 187,203 in 2010”.
- 2013
- In August 2013, advertising service Outbrain suffered a spear-phishing attack and SEA placed redirects into the websites of The Washington Post, Time, and CNN.[83]
- In October 2013, emails purporting to be from American Express were sent to an unknown number of recipients.[84]
- In November 2013, 110 million customer and credit card records were stolen from Target customers, through a phished subcontractor account.[85] CEO and IT security staff subsequently fired.[86]
- By December 2013, Cryptolocker ransomware had infected 250,000 computers. According to Dell SecureWorks, 0.4% or more of those infected likely agreed to the ransom demand.[87]
- 2014
- In January 2014, the Seculert Research Lab identified a new targeted attack that used Xtreme RAT. This attack used spear-phishing emails to target Israeli organizations and deploy the piece of advanced malware. Fifteen machines were compromised including ones belonging to the Civil Administration of Judea and Samaria.
- In August 2014, the iCloud leaks of celebrity photos was found to be based on phishing e-mails sent to the victims that looked like they came from Apple or Google, warning the victims that their accounts might be compromised and asking for their account details.[95]
- In November 2014, phishing attacks on ICANN gained administrative access to the Centralized Zone Data System; also gained was data about users in the system – and access to ICANN’s public Governmental Advisory Committee wiki, blog, and whois information portal.[96]
- 2015
- Charles H. Eccleston plead guilty[97][98] in an attempted spear-phishing when he attempted to infect the computers of 80 Department of Energy employees.
- Eliot Higgins and other journalists associated with Bellingcat, a group researching the shoot down of Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spear-phishing emails.[99][100]
- In August 2015, Cozy Bear was linked to a spear-phishing cyber-attack against the Pentagon email system causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation.[101][102]
- In August 2015, Fancy Bear used a zero-day exploit of Java, in a spear-phishing attack spoofing the Electronic Frontier Foundation and launching attacks on the White House and NATO.[103][104]
- 2016
- In February, Austrian aerospace firm FACC AG was defrauded of 42 million euros ($47 million) through a BEC attack – and subsequently fired both the CFO and CEO.[105]
- Fancy Bear carried out spear-phishing attacks on email addresses associated with the Democratic National Committee in the first quarter of 2016.[106][107]
- The Wichita Eagle reported “KU employees fall victim to a phishing scam, lose paychecks” [108]
- Fancy Bear is suspected to be behind a spear-phishing attack in August 2016 on members of the Bundestag and multiple political parties such as Linken-faction leader Sahra Wagenknecht, Junge Union and the CDU of Saarland.[109][110][111][112]
- In August 2016, the World Anti-Doping Agency reported the receipt of phishing emails sent to users of its database claiming to be official WADA, but consistent with the Russian hacking group Fancy Bear.[113][114] According to WADA, some of the data the hackers released had been forged.[115]
- Within hours of the 2016 U.S. election results, Russian hackers sent emails from spoofed Harvard University email addresses,[116] using techniques similar to phishing to publish fake news targeted at ordinary American voters.[117][118]
- 2017
- In 2017, 76% of organizations experienced phishing attacks. Nearly half of information security professionals surveyed said that the rate of attacks increased from 2016.
- In the first half of 2017 businesses and residents of Qatar were hit with more than 93,570 phishing events in a three-month span.[119]
- A phishing email to Google and Facebook users successfully induced employees into wiring money – to the extent of US$100 million – to overseas bank accounts under the control of a hacker. He has since been arrested by the US Department of Justice.[120]
- In August 2017, customers of Amazon faced the Amazon Prime Day phishing attack, when hackers sent out seemingly legitimate deals to customers of Amazon. When Amazon’s customers attempted to make purchases using the “deals”, the transaction would not be completed, prompting the retailer’s customers to input data that could be compromised and stolen.[121]
- 2018
2020s
- 2020
- On July 15, 2020, Twitter suffered a breach that combined elements of Social engineering (security) and phishing. A 17-year old hacker and accomplices setup a fake website resembling Twitter’s internal VPN provider used by employees working from home. Individuals posing as helpdesk staff called multiple Twitter employees, directing them to submit their credentials to the fake VPN website. [123] Using the details supplied by the unknowing employees, they were then able to seize control of several high-profile user accounts, including Barack Obama, Elon Musk, Joe Biden and Apple Inc.‘s company account. The hackers sent messages to Twitter followers soliciting Bitcoin promising double the transaction value in return, collecting some $117,000 in the first 3 hours of the ruse