When companies attempt to protect their systems from cyber intrusion, they tend to look at all the available technological options — firewalls, unidirectional gateways, third-party software, AI-powered solutions, etc. But according to studies from both the World Economic Forum and IBM, 95% of all cybersecurity incidents can be traced to human error. Information technology (IT) and operational technology (OT) systems can both be breached, but people are still the weakest link. This is why hackers, like snake oil salesmen before them, have been preying upon our human foibles for decades now.
One of the most popular social engineering scams continues to be phishing, where an attacker sends a fraudulent message or email that appears to come from a legitimate source, such as a bank, social media platform or company superior. While these sorts of attacks are propagating at an alarming rate today, they are far from new. In fact, the first recorded phishing cyberattack took place in the mid-1990s and was carried out by a group of hackers who targeted America Online (AOL) users. From there, phishing has evolved — though it still uses the same general playbook — to become a threat to corporations, manufacturers and critical infrastructure.
How the AOL attack launched phishing
According to Sophos’ recently released State of Cybersecurity 2023 report, which surveyed 3,000 respondents, phishing was the second biggest area of concern for IT professionals in 2023, with 40% of respondents citing it as a threat (trailing just behind data exfiltration at 41%). So how did we get from the dawn of the internet to phishing becoming a top attack vector?
Back in the dark ages of the mid-1990s, the only internet option for most people was paid dial-up through a modem. AOL was the Google of its time, the big fish in the online pond, outpacing every other web service by a significant amount up until the 2000s. But for those who weren’t sure if the internet was for them or didn’t want to pay the price for SpaceJam.com or Ask Jeeves, AOL offered a 30-day free trial via a floppy disk.
Some people started looking for a workaround to continue using the internet after the trial period ended. According to phishing.org, “The first way in which phishers conducted attacks was by stealing users’ passwords and using algorithms to create randomized credit card numbers. While lucky hits were few and far between, they struck the jackpot often enough to cause a lot of damage. The random credit card numbers were used to open AOL accounts. Those accounts were then used to spam other users and for a wide range of other things.”
AOL put the kibosh on this practice in 1995, when they created security measures to prevent the use of randomly generated credit card numbers. At this point, the nascent phishers created what would become the blueprint for generations of attacks to follow. Using AOL Instant Messenger and email, they sent communications to users claiming to be AOL employees and administrators. They requested users to verify their account and billing information. Because no one had ever seen an attack like this, many unsuspecting AOLers fell for the ruse.
Why social engineering attacks work
The first recorded mention of the word “phishing” was on the hacking site AOHell, a program designed to exploit bugs in the AOL service, allowing bad actors to forge messages in chat rooms, download files and create dummy accounts.
This early attack was a groundbreaking example of social engineering tactics being used in a cyberattack, as the hackers relied on tricking users into voluntarily providing their login credentials rather than exploiting technical vulnerabilities. The success of this attack led to the widespread adoption of phishing as a tactic for cybercriminals to steal personal and financial information from unsuspecting victims, or to gain access to critical systems.
Since then, phishing has been used regularly to trick recipients into clicking on a link, downloading an attachment or providing sensitive information, such as login credentials, credit card numbers or a company’s secret sauce. Once an attacker obtains sensitive information, they can use it to access financial accounts, make unauthorized purchases or hack into systems and wreak havoc. In some cases, phishing attacks can also install malware or ransomware on a victim’s computer, which can cause data loss or other damage. Because the lines between IT and OT are no longer firm, an IT systems breach can easily spill over into OT, allowing attackers access to sensitive company information and functions.
From AOL to ILOVEYOU
Though the AOL attack was rudimentary in its approach and tactics, it did lay the groundwork for what has become a somewhat standard playbook. Phishing and other social engineering scams have remained a popular attack vector ever since. The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) found that phishing schemes were the No. 1 crime type in 2022, with 300,497 complaints.
The first major and fully realized phishing attack occurred shortly after the AOL issues, when the Love Bug was unleashed on the world in May 2000. Mailboxes around the globe all received a message titled ILOVEYOU. The body of the email said simply: “Kindly check the attached LOVELETTER coming from me.” When lovelorn users clicked the link to unveil their secret admirer, they unleashed a worm that overwrote image files and sent a copy of itself to that user´s contacts in their Outlook address book. From there, different types of phishing have been used in consequential attacks like FACC and Colonial Pipeline.
Phishing attacks can be difficult to detect because they often use social engineering tactics to create a sense of urgency or exploit a person’s trust in a particular brand or organization. They use manipulation and deception to trick individuals into divulging confidential information or performing actions that are harmful to themselves or their organizations. Unlike other types of cyberattacks that rely on technical exploits, social engineering attacks exploit human nature and rely on psychological tricks to achieve their goals. That’s why it’s important to be cautious when receiving unsolicited emails or messages, and to verify the authenticity of any requests for sensitive information before providing it.
There’s an old axiom in journalism: If your mother says she loves you, check it out. It speaks to a healthy skepticism of what people see and hear, as well as a desire to get things right. That same aphorism holds true with the internet. If it looks too good to be true, you can generally assume it is.