So, basically it all started with a simple lab on TryHackMe while I was solving a room about Phishing. After completing that I felt really curious and kept asking myself a simple question : “How bad can phishing really get?”
Like you know we’ve all seen those generic emails with “click here to claim your prize” labelled on them all over, but I wanted more, I wanted something real with an actual impact that left the victim in a bad state.
So I researched a bit, and here I present you some of the most notable phishing attacks….
AOHell – Birth of Phishing
Up until 1995, the internet was little more than a Wild West internet. America Online (AOL) was the internet gateway for the millions, and many users still had little to no idea how email even functioned.
That’s when a teenager named Koceilah Rekouche published a tool known as AOHell. At first glance, it was just a basic AOL hacking tool. But one feature turned the tables: automated phishing.
Under AOHell, the attacker could impersonate AOL admins and would distribute forged system messages asking other users to “verify” passwords or credit-card details. The victims were tricked into typing in their sensitive information in a chat window, where the phisher received it immediately.
For the first time, the phishing was not a technical vulnerability rather it was a large-scale human vulnerability. And it was successful.
In fact, the term “phishing” was coined in the AOHell docs, from the idea of “fishing for passwords.”
This was bigger than an ordinary prank rather it was the beginning of social engineering on large scale, and it was the essentially what brought the billion-dollar attacks that were soon to follow.
Operation Phish Phry : FBI vs. the Phishing Cartel
Fast-forward again to 2009. Phishing was so common and organized at this point that the FBI and Egyptian authorities paid attention. That year, they mounted Operation Phish Phry, one of the largest ever cybercrime crackdowns.
At the center of the scam was a phishing ring that had been pretending to be the websites of major banks including the Bank of America and Wells Fargo, and luring victims into giving out their banking information.
Once credentials had been stolen, the group employed “money mules”, basically paid individuals who transferred the stolen funds across borders which made it even harder to trace.
The impact was huge. Over $1.5 million was swindled from hundreds of victims. Subsequently, over 100 individuals were rounded up in the U.S. and Egypt.
But more than the financial loss, Operation Phish Phry was a wake-up call. Phishing was no longer the prerogative of lone hackers instead it had grown up into global cybercrime as a marriage between organized fraud and technology.
Facebook & Google Scam :
From 2013 through 2015, two of the world’s largest tech companies Google and Facebook were quietly being stolen from. And it wasn’t with malware or brute-force hacking.
The attacker said he was pretending to be a Taiwanese computer hardware maker named Quanta Computer, a genuine seller both companies conducted business with. He created fake messages, purchase orders, and invoices, all socially engineered to look authentic.
And both companies believed in it.
For two years, Rimasauskas misled staff into transferring more than $100 million into bank accounts he controlled.
What’s remarkable is that this was NOT a systems technical defect instead it was a process and human verification failure. The phishing emails weren’t even especially sophisticated, they just took advantage of the speed at which tech companies react and the trusting nature of humans when dealing with “official-looking” communications.
Rimasauskas was ultimately caught, extradited, and convicted. But the episode was crafted into a textbook on vendor phishing and why cybersecurity is more than just firewalls and antivirus.
Sony Pictures Hack
In the fall of 2014, Sony Pictures was preparing the release of The Interview, a comedic film lampooning North Korea’s ruler. But behind the scenes, something much more ominous was cooking.
A group identifying itself as the Guardians of Peace targeted Sony staff with spear-phish emails pretending to be communications from Apple requesting the user verify the ID. A few mouse clicks and the hackers had a backdoor into Sony’s internal network.
The results were catastrophic. Over 100 terabytes of information were stolen and released, including:
- Non-released films
- Corporate leaders’ confidential emails
- Remunerations and social security identification
- Confidential HR documents
The assault was reportedly executed by North Korean hackers in response for the film The Interview. The U.S. government went as far as officially assigning the assault to North Korea a gesture as rare as it was unprecedented.
This was not some business getting hacked. This was a geopolitical cyberattack triggered by a single phishing email.
Sony went through not just financial loss but unprecedented reputational damage, intracompany trust violation, and even theatrical show intimidation. It remains arguably the most impactful phishing-induced breach in the history of entertainment.
Colonial Pipeline
Until 2021, most firms had trained employees on the basics of phishing. Every now and then, though, one misstep is all it takes.
In the year the attacks took place in May, a single phishing message gave hackers a way into the Colonial Pipeline network, the largest American fuel pipeline system, supplying nearly half the East Coast.
After gaining entry, the hackers unleashed ransomware that froze up systems and forced Colonial to shut operations. Panic buying was the result.
Shortfalls in fuels impacted several states. Flight delays and state-of-emergency declarations were issued.
The company paid a $4.4 million cryptocurrency ransom (some of which was later recovered), and the hackers, a group called DarkSide vanished into the darknet soon afterwards.
This attack brought home one terrifying fact : Phishing can knock out national infrastructure. The stakes had never been higher.
But Ask Yourself This : Why Phishing Works So Well
What is common in all these attacks?
PEOPLE
Regardless of how sophisticated our security software becomes, phishing attacks abuse human trust, as opposed to code. It appeals to urgency, authority, fear, and familiarity in order to induce users into acting before they think.
And that is why phishing retains the number one position even in 2025.
From the 1995 AOL chat room to the 2021 pipeline gateway, there is one common denominator in all of these scams : the manner in which humans behave.
Phishing has nothing to do with terrible links or bogus emails.
Yet Phishing has everything to do with the way social engineering, trust, and timing can be leveraged to bring billion-dollar conglomerations or even whole infrastructures.
Having dug into these kinds of cases, I’m more sure than ever that phishing awareness training shouldn’t be a yearly tick-box procedure. Instead, it has to be ongoing, in-the-world, and hugely ‘human-centered’.
So the next time you see a suspiciously dubious email from a “vendor” or a stupid login link wait. That single click might be the first stroke in the next banner headline.
Feel free to reach out if you have something to share, a suggestion or topics you would like to read!!
Also if you’re as passionate about Cyber-Security and tech in general as I am, feel free to follow me on Twitter – @shrisec for the latest updates and connect with me on LinkedIn – Aditya Narayan to stay in the loop with my posts and insights in the upcoming projects and CTF writeups.
Let’s continue this fascinating journey together!