By: Vanna karthik; Vel Tech University, Chennai, India
Abstract
Phishing is a common type of cyberattack that still poses serious hazards to people and businesses all around the world. In order to identify the tactics, techniques, and procedures (TTPs) used by cybercriminals, this article explores actual phishing assault samples. This paper examines the lessons learnt to increase cybersecurity awareness and resistance by examining these occurrences and finding recurrent patterns. Additionally, it looks at how phishing attempts have changed over time, highlighting how flexible cybercriminals are in getting past recognized defensive measures. The results highlight how crucial proactive steps, user education, and powerful detection systems are to successfully reducing phishing risks.
Introduction
Phishing attacks’ deceptive tactics are designed to fool victims into sensitive personal information, bank account details, or passwords. Despite advancements in cybersecurity, phishing remains a significant worry due to its evolving techniques and attack on human vulnerabilities [1]. The rising availability of phishing resources has made it possible for even less skilled attackers to carry out sophisticated attacks [2]. This paper examines the practical uses of phishing and highlights the tactics employed by attackers and the consequences that follow. To better understand the threat landscape and put strategies in place to successfully avoid phishing attempts, people and organizations can apply the lessons learnt from these occurrences.
Literature review
Real life examples and lesson suggestions
AOL Email Scams (1995)
The word was first used in reference to one of the earliest known phishing attacks, which occurred at AOL in 1995. This huge scam, dubbed “AOHell,” was directed at subscribers of America Online’s email service. Since AOL was one of the biggest internet service providers in the nation at the time, there was a significant possibility of victim base[3].
Credential theft was one of the phishing techniques employed by the AOHell hackers. The scam began with a credit card number generator that the fraudsters used to create fake profiles and locate actual credit card numbers. Additionally, they appeared to be AOL personnel and convinced victims to give up account or financial information by using the instant messaging service. Although AOL was unable to stop the false instant messaging, they were able to stop the fraudulent credit card portion of the AOHell operation. Fortunately, since 1995, account security technology has advanced greatly[3].
But the most important lesson from this example is to never completely believe messages appearing to be from customer service or a company. Always get in touch with the business personally, and make sure messages are authentic. It’s also critical to carefully examine the sender’s data in order to identify warning signs such as doubtful domain names.
Facebook and Google(2013 -2015)
A sustained operation of phishing robbed Google and Facebook of $100 million between 2013 and 2015. The phisher attacked the fact that both businesses used Quanta, a Taiwan-based business. The company that impersonated Quanta received a number of fake invoices from the attacker, which Google and Facebook paid[4].
Following the eventual discovery of the fraud, Facebook and Google filed cases in the US. Facebook and Google were able to recover $49.7 million of the $100 million that was stolen from them as a result of the legal actions, and the attacker had been captured and arrested from Lithuania[4].
An skilled hacker can effortlessly assume the identity of someone their victim is inclined to trust without hesitation. They sure the victim does not checking the sender’s email address again or contacting them via another method. Verify the legitimacy of the sender before sending any financial information, money, or credentials.
2018 World Cup
In reference to phishing attempts during the 2018 World Cup in Russia, the Federal Trade Commission issued this statement. According to the fraud, the victim entered their personal details to get their World Cup tickets after winning them in a lottery[5].
A few rental frauds were also reported at the same time. During the athletic event, cybercriminals offered impossibly low prices for the houses of real Russian landlords who had their email accounts stolen. A ‘lucky buyer’s credit card details were stolen after they accepted the deal[5].
Always confirm the authenticity of unexpected emails, especially those that offer discounts that appear too good to be true or claim you have won a reward. In this instance, avoiding falling for these frauds would have been made easier by verifying the legitimacy of the rental offer or lottery through proper channels.
Methodology
A qualitative analysis of recorded phishing incidents from credible cybersecurity publications and case studies is used in this study. Finding attack methods, targeted industries, and the psychological strategies employed by attackers are the main objectives of the analysis. This study also looks at case-specific elements that affected whether the phishing efforts were successful or unsuccessful. Interviews with cybersecurity experts additionally provided light on lessons learned and practical mitigation techniques.
Conclusion
Phishing is still a very difficult cybersecurity problem, and attackers are always improving their techniques. Important lessons are revealed by the examination of real-world situations, including the need for strong user training programs, the incorporation of AI-powered phishing detection systems, and the significance of creating a cybersecurity-aware culture. This study highlights the necessity of a multilayered security approach that combines technical advancements with human attention to detail. Organizations and individuals can improve their defenses and lessen the impact of phishing attempts by putting these insights into practice.
Reference
- D. Hasselquist, E. K. Gawell, A. Karlström, and N. Carlsson, “Phishing in Style: Characterizing Phishing Websites in the Wild,” in 2023 7th Network Traffic Measurement and Analysis Conference (TMA), Jun. 2023, pp. 1–4. doi: 10.23919/TMA58422.2023.10199059.
- W. Lee, J. Hur, and D. Kim, “Beneath the Phishing Scripts: A Script-Level Analysis of Phishing Kits and Their Impact on Real-World Phishing Websites,” in Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, in ASIA CCS ’24. New York, NY, USA: Association for Computing Machinery, Jul. 2024, pp. 856–872. doi: 10.1145/3634737.3657013.
- VibeThemes, “Phishing Case Studies: Lessons Learned From Real-Life Attacks – CyberExperts.com.” Accessed: Jan. 03, 2025. [Online]. Available: https://cyberexperts.com/phishing-case-studies-lessons-learned-from-real-life-attacks/
- “The Top 5 Phishing Scams of all Time,” Check Point Software. Accessed: Jan. 03, 2025. [Online]. Available: https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-phishing/the-top-5-phishing-scams-of-all-times/
- “Famous Phishing Incidents from History | Hempstead Town, NY.” Accessed: Jan. 03, 2025. [Online]. Available: https://www.hempsteadny.gov/635/Famous-Phishing-Incidents-from-History
- Sedik, A., Hammad, M., Abd El-Samie, F. E., Gupta, B. B., & Abd El-Latif, A. A. (2022). Efficient deep learning approach for augmented detection of Coronavirus disease. Neural Computing and Applications, 1-18.
- Hammad, M., Abd El-Latif, A. A., Hussain, A., Abd El-Samie, F. E., Gupta, B. B., Ugail, H., & Sedik, A. (2022). Deep learning models for arrhythmia detection in IoT healthcare applications. Computers and Electrical Engineering, 100, 108011.
- Chokkappagari R. (2024) How AI Detects Phishing Scams, Insights2Techinfo, pp.1
Cite As
Karthik V. (2025) Phishing in the wild : Real life Examples and Lessons Learned, Insights2techinfo pp.1