Phishing has come quite a long way since the early days of the internet. What was once just harmless pranks and low-effort scams is now the most used attack vector to breach organisations. Today it's not just emails - it's SMS, voice calls, socials and even deepfaked video calls.
Here's a quick look at how phishing has evolved and where it's headed.
During the early days of the internet, AOL Instant Messenger was a widely popular messaging and chat room application. In 1994, a user known as 'Da Chronic' developed a toolkit called AOHell, a collection of tools that remained in use until the decline of AIM around 2010. Notably, it included the first recorded use of the term 'phishing'. The toolkit, among other things, let users create fake accounts, send automated phishing messages to random accounts and impersonate AOL founder Steve Case.
Instead of sending generic spam emails en masse, attackers began collecting information on a single target and creating personalised phishing emails - referencing coworkers, roles and even internal projects. These emails were much more believable than spam emails, and thus worked much better. A lot of breaches started this way, such as Sony, Target, and more recent ones like Uber.
With the extremely wide use of social media platforms and messaging apps, phishing adapted and spread everywhere - texts, phone calls, fake websites and even LinkedIn messages.
Let's take the MGM hack of 2023 as an example - the 100 million dollar attack was carried out impersonating MGM IT staff in a phone call with the helpdesk, and by spamming employees with MFA requests until one was approved (a technique known as MFA fatigue).
Today, phishing is faster and smarter than ever. The integration of AI into phishing toolkits means instant fake login pages for whatever website, hyper-personalised texts and even convincing fake audio and video - making real-time impersonation in video calls not only possible, but actively used today.
The impact of AI on security will be significant, not just for the speed or scale, but because it erodes our ability to trust everything we see or hear. Recognising a phishing attempt will become much harder, and that's something we'll need to be prepared for.
Author: Marcello Carboni, Cyber Security Specialist, 8 West Consulting
https://www.linkedin.com/in/marcello-carboni-b01228186/