By 2004 phishing was firmly established. Between May 2004 and May 2005 it was estimated that $929 million (USD) was lost to phishing scams. Since then a vast variety of different attacks and techniques have become common, including those highlighted below:
Link Manipulation: One of the earliest attacks was to send targets an email with a link to a misspelled or misleading domain, which looked identical to a legitimate site. The target is then tricked into entering their credentials. Over time this has evolved, with modern phishers making use of images instead of plain text in an attempt to avoid spam filters, and complex technical means to make websites seem identical to that of the targeted institution. A recent evolution of this is to direct the user to the legitimate website, and then make use of cross-site scripting flaws to display their own window over the top of the actual content.
Social Media: One of the major targets of phishing campaigns are social network sites like MySpace and Facebook. In 2006 a worm was used to alter links on MySpace, and direct users to disclose their login details. The mass of detailed information stored on social networking sites makes them a tempting target for phishing attacks, as they can be used for identity theft on a large scale.
Vishing: April 2006 saw an interesting development in the history of phishing, as phishing attacks were executed against targets outside the web. By using voice over IP (VoIP) technology, attackers were able to exploit public confidence in the land-line system by spoofing caller IDs. Automated messages claiming to be from a bank were used to extract the details of bank accounts and were dubbed 'vishing', a combination of 'voice' and 'phishing'.
Spear Phishing and Whaling: Spear Phishing and Whaling are both targeted phishing attacks, developed after a few years experience of running traditional phishing scams. Spear Phishing is designed to exploit information disclosed through other means, for example leaked usernames. Whaling is aimed at executive level users, where a single cracked account can lead to major information loss.