TL;DR
- Phishing began on AOL in the 90s.
- It hasn’t changed much, just scaled up.
- Defense needs to start with people, not just tech.
- Simulation is essential. So is real-time prevention.
Phishing didn’t start with billion-dollar heists or AI-generated deepfakes. It started with something much simpler, and a little ridiculous. Picture the mid-90s internet: dial-up tones screeching, AOL chat rooms buzzing, and kids pretending to be AOL support staff. They weren’t cracking code; they were cracking people. That’s the real birth of phishing: a prank that turned into a playbook for some of the biggest cyberattacks of our time.
Today, phishing is behind everything from wallet drains to billion-dollar data breaches. This blog breaks down the origins of phishing, its evolution, and why it remains the single biggest threat to online human security.
Timeline: How Phishing Grew Up (1990s → Today)
The Early Seeds: Before “Phishing” Had a Name
Back in 1987, a few academics stood up at conferences and warned: people are easier to hack than machines. They basically said, “Why brute-force a password when you can just ask for it?” But the world didn’t take it seriously until the early 90s, when AOL became the Wild West of the internet.
Enter AOHell in 1994, a free toolkit that let anyone pretend to be AOL staff. You could pop into a chat, send fake warnings like “Your account will be terminated unless you verify,” and boom… stolen creds. It was phishing before the name stuck, and it spread like wildfire. By 1995, “phishing” was the word in hacker circles, spelled with a “ph” as a nod to the old-school phreaking culture of hacking telephone systems.
Think of it as the OG meme scam: the AOL version of “Click here to claim your free iPod.” Only instead of iPods, people lost their identities.
From LOLs to Loot: How Phishing Grew Up
Phishing started as digital mischief, but it didn’t take long to go pro.
- 1996: The term phishing becomes official in underground newsgroups. What was once trolling now had branding.
- 2001: Hackers pivot to real money, targeting E-Gold accounts. Playtime was over; this was organized theft.
- 2003–2005: Fake PayPal and eBay sites spread like wildfire. Losses topped nearly a billion dollars. That’s not “script kiddies” anymore, that’s an industry.
- 2007–2010: Spear-phishing and smishing (phishing via SMS) arrive. Instead of blasting everyone, attackers handpicked targets. Cue the “CEO fraud” era.
- 2011: RSA, the company behind two-factor tokens, got owned by one phish titled “2011 Recruitment Plan.” One click cascaded into the compromise of defense contractors. One click. That’s all it took.
- 2016–2020: Phishing becomes the #1 entry point for mega-breaches. If you’ve read about any massive hack, odds are the first domino was a phish.
- 2020–Today: Welcome to Phishing-as-a-Service (PhaaS). Want to phish like a pro? Just rent a kit. Get brand-perfect clones, AI-written emails, MFA-bypass tools, even customer support. Hackers don’t need to hack anymore; they just subscribe.
Same Scam, New Costume
The phishing recipe hasn’t changed since the AOL days:
- Pretend to be someone you trust (boss, bank, IT help desk).
- Add urgency (“your account will be closed in 24 hours”).
- Steal credentials, wallets, or personal info.
What’s changed? The scale. In 1995, AOHell let teenagers prank people with “A/S/L?” messages. Today, PhaaS lets anyone spin up deepfake CEOs, spoofed domains, and multilingual phishing lures in minutes. It’s basically the Netflix model, but for cybercrime.
Why We Keep Falling for It?
Why does this still work, 30 years later? Because technology got smarter, but people didn’t get harder to trick. We’re still the same soft target.
Firewalls can’t stop Becky in accounting from clicking “urgent invoice.” Antivirus won’t save Tom in sales from entering his creds into a fake Zoom login. And let’s be honest: everyone, at some point, has hovered over a sketchy link thinking: this might be fine…
Meanwhile, organizations are still rolling out the same tired awareness training; slideshows with clipart fishhooks and slogans like “Don’t take the bait!” Newsflash: attackers aren’t sending Nigerian prince emails anymore. They’re running man-in-the-middle sites that bypass MFA and steal session tokens in real time.
The Harsh Lessons History Hands Us
Phishing’s evolution screams three truths:
- Humans are the target.
Firewalls and filters aren’t enough. If someone clicks, the breach happens. That’s why awareness and training matter. - Automation is the enemy and the opportunity.
Attackers use tools to scale phishing. So should defenders. Simulations, detections, and behavioral feedback need to be just as fast. - Context is everything.
The best phishing attacks feel real. That’s why defense has to match context: your company, your teams, your tools.
What Resonance Security Is Doing About It?
We’ve studied phishing from AOL’s “You’ve Got Mail” days to today’s deepfake CEO scams. That’s why we built:
- Equalizer: Hyper-realistic phishing simulations. No cartoon fishhooks; these mimic real workflows and real lures, forcing people to learn by doing.
- PhishGuard (coming soon): An always-on email bodyguard that tells you if the email is safe for you or not.
Book a FREE exploration call to get a gist of our phishing-protection tools.
.png)