The first phase of phishing was in the late 1990s and early 2000s. Phishing was just categorized as an email threat and not much concern was attached to it. The most popular type of phishing email was the Nigerian prince scam. The attackers were simply capitalizing on greed and misinformation. The first phishing attack against a payment system called E-gold was made. In 2003, another phishing attack was made against a retail bank. In 2004, an American teen was arrested after being found to have created a website asking people to give their logins. The website was a replica of America Online (AOL), which had been adopted by quite a number of internet users. Later in the year, there were many other phishing scams that succeeded against 1.2 million US targets. This showed that hackers were experimenting with phishing schemes outside the normal Nigerian prince scam. More phishing attacks followed and they were being waged against millions of users annually. Phishers then innovated their attack mechanisms and some turned from targeting several unknown targets to targeting a few known targets. They would isolate one person in a company, do background research and then use the information gained to attack them. This came to be known as spear phishing. In 2008, development made another leap. There was a new type of phishing attack, where CEOs were targeted, which came to be known as whaling. Phishers would send emails to the CEOs claiming to be court subpoenas, and this urged the CEOs to open them. Once opened, the emails would download keyloggers to the victims' computer. There were about 2,000 victims before most people got wind of it and it was no longer effective.
In 2009, there were reports that phishing was no longer profitable and was heading toward a dead end. Reports indicated that the resources attackers use to mass-mail people by far exceeded any returns that these attack would yield. Microsoft was among the companies that declared that phishing was not profitable.
Do phishers actually make money, or is phishing an unprofitable business, scammers lose time and resources into? Taking the economic approach of generalizing how much money phishers make, a recently released study by Microsoft researchers Cormac Herley and Dinei Florencio (A Profitless Endeavor: Phishing as Tragedy of the Commons), states that phishing isn't as profitable as originally thought.
These reports were based on the fact that many scammers were using the same scam stories and consequently this decreased their effectiveness. The possible revenues that could be realized from phishing were shrinking with the increasing numbers of phishers. It seemed that the vice had no future. The commonly used phishing stories had also been profiled and many potential targets had learned how to tell that an email was a phishing email. Most of the scammers were sending plain text emails with grammatical errors and similar stories aimed at engaging targets in a scenario where they would get rich quickly. As more of these similarly-written phishing emails surfaced, the identification of phishing became quite easy for any average-minded internet user.
However, from 2011, cases of phishing attacks started rising again. By 2013, phishing was spiralling out of control. The number of users scammed between 2012 and 2013 rose by 87% to approximately 40 million. Instead of using similar-styled emails, phishers were using different scenarios to get targets to comply with malicious requests. The use of fake website copies of financial institutions increased. By 2016, phishing became a highly-recognized threat in the corporate and law enforcement world. Organizations, employees, and customers were losing a lot of money to elaborate scams received through emails. Account holders in banks were complaining of being defrauded by unknown persons pretending to be officials from the bank. PayPal, which had in 2009 declared that phishing was not even worthy of being among its top five cyber security threats, started to warn its users of this type of attack. Corporate organizations were complaining that logins to sensitive systems had been given out by unsuspecting employees, leading to the theft of sensitive information. Senior executives in organizations were complaining of their emails having been taken over by malicious people. Phishing had established itself as a high-concern security threat. It attacked the one target that organizations could not protect using cyber security software. There are several types of phishing attacks as we shall discuss in the following.