What is phishing
Sixty-eight percent of all data breaches involve the human element, such as human error or a person falling victim to a social engineering attack, according to the Verizon 2024 Data Breach Investigations Report. An attacker doesn’t need a zero-day vulnerability to break into your systems. The most powerful tool in their arsenal is simple trickery.
Phishing was the second-most common cause of data breaches. This term describes how an attacker can gain information or access by impersonating a third party: like a colleague, business, government agency, friend, or relative.We’ve lived with phishing — a type of social engineering — since the earliest days of the internet. But in recent years, attackers have grown more sophisticated, using new methods and tactics to accomplish their goals. And so, phishing is more dangerous than ever.
But a little knowledge goes a long way toward defeating phishing attacks. This guide will shed light on their ever-changing tactics, give you actionable advice on how to prevent phishing attacks, and explore what recent advances in AI mean for email and phone scams.
In 1995, the internet was a place of endless fascination and potential. A screeching 28.8kbps dial-up modem was the latest in high-speed home networking technology, and it connected you to a growing global community. And yes, it was expensive.
Back then, many people paid by the minute to get online. Or they paid for packages that, by today’s standards, were eye-wateringly expensive. For those unwilling or unable to pay, they had an option.
An enterprising young hacker called Koceilah Rekouche — someone who, although crossing legal and ethical boundaries, was primarily motivated by a sense of curiosity and exploration, rather than the outright malice of today’s organized threat actors — created a tool called AOHell.
It could generate fake credit card numbers for new trial accounts. Or, it could help you steal someone else’s legitimate account by sending an email that purported to come from AOL security and asks for their username and password.
The last bit was called a ‘fisher’ tool. And because at that time hackers would substitute ‘f’ with ‘ph’, fishing became “phishing.”
That’s the first recorded usage of the term that now strikes fear into the hearts of anyone who owns a social media page, has an email account, or runs a business. Phishing is no longer something used by people wanting to get online for free. It’s a big business.
Researchers identified 500 million phishing attacks in 2022. That figure is double the previous year’s. And the impact of a successful phishing attack can prove devastating. Figures from IBM put the average cost at a cool $4.91 million. A business email compromise (BEC) attack — a subtype of phishing where a malicious actor tries to convince a company executive into making large payments or sharing confidential information — can cost $4.89 million.
Ultimately, phishing is just another type of deception. Something that’s as old as humanity itself. Lies and misdirection have an incredible destructive potential — just ask the Trojans. But what makes phishing such a terrifying prospect is that it can happen at scale. It’s both a hammer and a scalpel.
An attacker can send millions of emails in the hope that a handful of recipients take the bait. Or they can build something that’s unique for one person, or one company, in the hope of a massive payday.
Later we’ll walk you through the different kinds of phishing and how malicious actors use them. But we’ll start with the very near future, where advances in artificial intelligence technology promise to make phishing an even more dangerous threat.
