Verified Mark Certificates 09-16-2021

From the 90s to Today – How Phishing, and the Strategies to Combat it, Have Evolved Over Time

Dean Coclin

Phishing originated in the mid-90s as a way to steal AOL users’ information. Back then, the biggest risk was losing your credit card information. It’s safe to say that since 1995 phishing threats have evolved, becoming more diversified and impactful. However, as phishing strategies have evolved, so have the best practices to combat it.

But how did we get here, and how has phishing grown to be the destructive force it is today? Let’s dive in.

Phishing in the early days

The first phishing attacks began in 1995, but the term phishing was first used in 1996. With millions of people on AOL every day, it became a natural target. The original phishers targeted usernames and passwords and used algorithms to randomize credit card numbers until they could open AOL accounts. With their fake accounts, they continued to spam other users, quickly gaining traction.

Unsuspecting victims were easy targets as they had no idea what phishing was. To combat this, AOL posted warnings on all of their email and instant messenger clients warning people to not share sensitive information on those platforms.

Over time, phishing evolved to targeting online payment systems, sending malicious emails and spoofing. By 2003, spoofing emails claiming to be brands like eBay and PayPal plagued inboxes asking for updated credit card information. Users would click on an email link and be directed to a site that appeared to be the real deal but was actually a spoof. From May 2004 to May 2005, 1.2 million victims in the United States had financial losses totaling $929 million from phishing.

More emphasis has been placed on stopping phishing before users click on the message. Here are our top 10 tips to avoid phishing.

Phishing today

Instead of a love letter or a message from a Nigerian prince that could result in stolen personal information, today’s phishing attempts could threaten the world economy, politics and leading organizations. Attackers of today are professionally organized, large-scale groups that are financially motivated. Organizations lose an estimated $2 billion a year from phishing.

During the pandemic, phishing activities rose significantly as attackers aimed to take advantage of the public’s heightened fears surrounding COVID-19 issues. Popular attacks have surrounded stimulus checks, fake CDC information, working from home and Netflix scams. With trends like remote work here to stay, the pandemic changed cybersecurity priorities for good.

Recent attacks have also focused on the 2020 U.S. presidential election, unemployment benefits and still spoof traditional targets like PayPal. About 50% of all email traffic in 2020 was spam, and PhishLabs found a 47% increase in phishing from 2020 to 2021, meaning phishing is worse today than it’s ever been.

To combat this, the FTC has published numerous statements warning users to be aware of these threats. While there is still much to be done to protect against these ever-evolving threats, current best practices and new technologies are enabling modern defenses against phishing.

Modern email security practices

Preventing phishing today is a combination of security best practices and training. Organizations need to educate employees on hackers’ techniques and ways to look for security indicators. Regular, updated training is the best defense. Without knowing your threats, you cannot defend against them. IT teams should promote awareness training by simulating email phishing attacks, which train employees to look for such threats and not click on links or attachments.

However, organizations should also take advantage of security protocols such as Domain-based Message Authentication, Reporting, and Conformance (DMARC). DMARC is an email authentication, policy and reporting protocol that helps prevent email spoofing. Enabling DMARC for an organization lowers the number of phishing emails trying to spoof customers. This reduces inbox clutter and makes it easier for consumers to trust the email messages in their inboxes.

Read this post for in-depth instructions on setting up DMARC.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


Unlocking Device Trust Manager

A Q&A with DigiCert Director of Product Management Kevin Hilscher

6 reasons signed SBOMs are essential to software security