Definition: The act of using various communication devices such as e-mail and telephones in an attempt to trick individuals into either revealing their personal information, including passwords and social security numbers, or installing malicious software (malware)

Phishing is used by identity thieves to acquire the confidential personal and financial information of victims. The term is a variation of “fishing” and refers to identity thieves fishing for victims. Identity thieves, also referred to as “phishers,” pose as representatives from banks, credit card companies, or other financial institutions and e-mail or call victims requesting their personal information. Phishers offer several fraudulent reasons for why the victim must enter their personal information. Phishing raised many concerns over online security in the 2000s.

Phishing first became popular during the early days of America Online (AOL), one of the first prevalent Internet providers. Phishers would pretend to be AOL employees and send users instant messages requesting their passwords for confirmation purposes. Once they procured users’ passwords, phishers could use them to access their accounts for spamming or other nefarious purposes. AOL eventually put policies into place to delete the accounts of anyone involved with phishing and to quickly detect any instant messages that contained phishing-related words.

After AOL’s security increased, phishers started to pretend to be financial institutions such as banks and credit card companies. The first known phishing attempt in which the perpetrator pretended to be a financial institution was in June 2001. A phisher posed as e-gold, a website that allowed users to instantly transfer gold currency. Although this attempt was unsuccessful, it was used by phishers as a test to develop more successful methods.

Following the terrorist attacks on September 11, 2001, phishers began sending out fraudulent identification check e-mails. Recipients were asked to enter their personal information to confirm their identities for reasons of national security. These attempts were also seen as failures but were used to test new methods of phishing.

Online Phishing

After the unsuccessful phishing attempts in the early part of the 2000s, phishers started implementing more sophisticated methods to acquire victims’ personal information. By 2004, phishing was seen as a serious and lucrative criminal activity. It led to heightened online security, increased awareness, and several lawsuits and government actions.

Many phishers pose as social media websites such as Facebook. They send users e-mails claiming that they noticed a security issue on the account and that, as a result, users must fill out legal forms, such as terms of use or copyrights law forms. These phishers typically state that if users do not comply and fill out the form, their account will be terminated. A link is usually included in the e-mail that is disguised with a legitimate address, such as Facebook’s web address; in reality, the link will download an executable file if clicked. This kind of trickery is how phishers get victims to download malicious software that exposes personal information and passwords.

Oftentimes phishers include company logos in their e-mails to make them look legitimate. There are several ways to tell whether an e-mail is a phishing scam or not. Many times words are misspelled or threats of account deletion are made.

In 2006, phishers began using e-mails to pose as the US Internal Revenue Service (IRS). In response, the IRS issued several consumer warnings about the use of the IRS logo for phishing and identity-theft purposes. Several of these IRS-related e-mail phishing scams claimed that the individual was owed a tax refund. The individual was then asked to enter personal information in order to receive the money owed them. The IRS established several ways for consumers to report suspicious e-mails that might be phishing scams.

Some phishers set up fraudulent or replica websites to pose as financial institutions. Once one of these fake websites was visited, users could unknowingly receive malicious software. Even on legitimate websites, phishers could alter the sites’ scripts and security aspects to fool users. This was a particularly successful phishing method because the fraudulent websites were nearly undetectable to average online users.

In 2006, this type of phishing was done on the website PayPal, which allows users to easily transfer money to other bank accounts. Phishers used the PayPal website to trick users into going to a uniform resource locator (URL) hosted on the legitimate PayPal website. Phishers created a warning message that appeared when users visited the website that said the user’s account was disabled because it may have been accessed unlawfully by a third party. Users were then redirected to a fraudulent PayPal login page that looked extremely similar to the actual login page.

This technique was also frequently used on the websites of banks. When users visited the sites, a pop-up window would appear that requested their personal login information for security purposes. Financial institutions responded by increasing online security measures through the use of security questions and images. For example, in 2008, Bank of America implemented a SiteKey system on its website in which users choose an image that appears every time they login. If the image does not appear during the login process, the user has been led to a fraudulent site. Other companies hit with phishing attacks during the 2000s included Best Buy, the United Parcel Service (UPS), and First Union Bank.

File-sharing websites and services such as RapidShare were also used by phishers to harvest information or leave computers vulnerable for later attack. Phishers would use fake websites or alter legitimate ones to sell users RapidShare upgrades that did not exist. Sometimes phishers would send out e-mail newsletters posing as file-sharing websites or would post in forums, encouraging users to pay for fake upgrades. Both of these phishing methods were used to steal victims’ credit card information.

A majority of online phishing in the 2000s was traced to the Russian Business Network (RBN). RBN is a cybercrime organization based in Russia that performs identity theft on a large scale. It undertook some of the largest and most successful phishing scams of the decade, oftentimes selling personal information to criminals for use in identity theft. RBN developed malicious software such as the MPack, which is a kit that was sold to hackers to infect hundreds of thousands of personal computers.

Phone Phishing

Phishers also used phones to acquire personal financial information. This method became known as “vishing.” Sometimes they would e-mail messages posing as financial institutions or Internet providers. At other times, phishers would steal a list of phone numbers from financial institutions and call the victims themselves. Once victims were on the phone, they would be asked to enter their debit card pin number, Social Security number, or other personal information. The phone numbers victims called would be owned by the phishers, who typically used a voice-over Internet protocol (VoIP) to disguise the location of their numbers, making phishers difficult to locate. A VoIP allows phishers to make and receive phone calls using their computer and Internet connection.

Phishers could even use VoIPs to disguise the caller identification on the victims’ end. They could call a victim and have the caller identification information correspond to that of a trusted bank or other entity. This made vishing hard to monitor.

Other phishers used phones to pose as technical support departments from Internet providers or software companies such as Microsoft. Phishers used this method to install malicious software (commonly known as “malware”) to gain access to sensitive information. Frequently, once the malicious software had been installed, phishers would charge victims to remove it from their computer. Phishers also used this method to adjust settings on victims’ computers to leave them vulnerable to further unlawful access.

In response, financial institutions, Internet providers, and software companies released several warnings stating that they would never call and request information or make charges via the phone. They stated that if anyone calls claiming to be from their institution, that individuals should hang up and report the number.

Combating Phishing

The sharp rise in phishing during the 2000s and the massive financial losses it caused led to several antiphishing responses on public and federal levels. The most basic method of combating phishing was to educate the public on how to recognize these scams. The IRS released several consumer warnings throughout the decade, and software companies, including Microsoft, published materials online to inform the public about phishing. Along with online consumer warnings, the IRS released informational videos and podcasts and provided consumers with e-mails and telephone numbers they could contact if they suspected they were the target of phishing attempts.

Because of phishing, several websites, financial institutions, and other entities changed the way they handled e-mails and information online. For example, PayPal began to include users’ login names in e-mails to let them know they were not being phished. Typically, phishing e-mails would address users with generic greetings, such as “Dear PayPal user.” In a similar fashion, banks started to include partial account numbers in e-mails. However, studies conducted in 2006 found that including personal information in an e-mail did not prevent phishing, since phishers typically used the same tactics to bait victims.

Many popular Internet browsers implemented measures for what became known as “secure browsing.” Several Internet browsers began to include antiphishing technology as part of their browsers and services. If a user attempts to visit a website that is not recognized as secure by Firefox, for example, a warning box will appear or Firefox will simply block the website.

E-mail servers such as Gmail increased their e-mail spam filters to help combat phishing. Many of these filters utilize language processing to recognize and block e-mails that include common phishing words and sentences.

The US Federal Trade Commission (FTC) set up services to help reduce telephone phishing scams. Their services encouraged users to report suspicious phone calls and phone numbers. The FTC then passed on this information to appropriate law-enforcement officials. Individuals could also register their phone number on the National Do Not Call Registry, which limits the number of telemarketers and potential phishers that can call the number.

Federal responses

In 2004, the FTC filed a lawsuit against a seventeen-year-old in California who was suspected of perpetrating phishing scams to acquire credit card information. This was the first law-enforcement action brought against a phisher. In 2006, the Federal Bureau of Investigation enacted an operation code-named Cardkeeper that led to the arrest of seventeen people involved with international phishing scams in the United States, Poland, and Romania. This group allegedly stole identities, credit card information, and bank information. Four suspects from the group were arrested in the United States and were in possession of machines used to encode cards with victims’ bank information.

On December 16, 2003, US president George W. Bush signed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act). This act established national standards for the distribution of commercial e-mail. The FTC was given authority to enforce the provisions put forth by the act. It was created to reduce the amount of unwarranted and unwanted e-mails, including phishing-related messages. Although many critics saw it as a failure, the first individual convicted under its provisions was sentenced in 2007. This individual, Jeffrey Brett Goodin, sent thousands of e-mails posing as the AOL billing department and requesting users’ personal information. He was sentenced to serve seventy months in prison.

Impact

Phishing raised several concerns about the security of valuable personal information that is frequently used online by banks and other entities. During the 2000s, various phishing methods managed to successfully rob victims of billions of dollars. Businesses affected by phishing also lost billions of dollars. Phishing was the most successful cybercrime method of the decade and changed the way information is distributed online. Its rise also led to an increase in awareness and heightened security on several fronts.

Further Reading