Screenshot of an old AOL Instant Messenger phishing message prompting the user to download a new version via a link.

The Evolution of Phishing and the Return of Digital Trust

Phishing has shaped the internet more than any other online threat. It began with simple impersonation on AOL and has since adapted to every new communication platform, from email to mobile messaging. Yet, despite decades of technological progress, the technique itself has barely changed. What’s different today is not how phishing works, but where it finds people.

This article traces the story of phishing from its origins in the mid-1990s to the present day, exploring how trust on the web was first built, then lost, and now being rebuilt through a new approach known as Zero Trust for web links – a concept my team at MetaCert pioneered. This isn’t a sales pitch or product announcement; it’s a return to first principles. After being one of the first people ever impersonated online, I’ve come full circle. What began as a personal experience of deception on AOL has evolved into a mission to make trust visible again.

The Origins of Phishing

Phishing is the act of impersonating a trusted person or organisation to deceive someone into taking an action that benefits the attacker, usually clicking a link that leads to them sharing credentials, installing dangerous software, or transferring money. The word itself comes from the idea of fishing for victims with bait, and the deliberate use of “ph” reflects its early connection to the hacker subculture that grew out of phone-phreaking in the 1990s. (Wikipedia)

Where It Began

Phishing as we know it first appeared around 1996 within the America Online (AOL) ecosystem. At that time, millions of people were coming online for the first time, and AOL had become the internet’s main gateway. Attackers began creating fake AOL login pages and sending instant messages that appeared to be from AOL staff, asking members to “verify” their passwords or billing information.

These early impersonators were often teenagers experimenting with social engineering rather than professional criminals. One figure stands out: Koceilah Rekouche, known by the alias “Da Chronic.” In the mid-1990s, Rekouche developed a software tool called AOHell for the AOL platform. Among its features were automated password-stealing and social engineering routines that allowed anyone to phish with a single click. What began as “click a button to phish for passwords” soon evolved into the first mass social engineering campaigns. That shift, from technical exploit to psychological manipulation combined with automation, explains why phishing remains so effective today.

A Personal View from the Front Line

At the time, I was part of the AOL New Technologies team, where I worked as the Technical Accounts Manager and International Beta Coordinator for AOL UK, helping to launch products such as AOL Instant Messenger, the first consumer messaging service. It was within that environment that I became one of the first people to be impersonated online. This was where people were first tricked on the internet, a defining moment that revealed how easily trust could be exploited before technical protections existed.

How People Were Tricked

Early victims were deceived by authority. Attackers posed as AOL staff, claiming an account problem or billing issue and asking for credentials. There was no shared understanding of online identity at the time, and official-looking messages or familiar phrasing were enough to convince people they were dealing with AOL itself.

Why It Worked

Phishing succeeded because people were unable to tell the difference between a legitimate message and a well crafted fake one. The concept of online impersonation was new, and systems had no authentication mechanisms to verify who was really behind a message. It exposed a weakness that still exists today: people trust what looks familiar or expected, especially when a message appears to come from someone or something they already know.

From Experiment to Industry

Once email became the dominant communication channel, phishing spread beyond AOL. By the early 2000s, professional criminals replaced hobbyists, targeting banks and payment providers. The first large-scale campaigns impersonated institutions such as Citibank and eBay, directing people to cloned login pages. These operations marked the transition from curiosity-driven mischief to organised financial crime.

But while the platforms changed, the technique did not. The same basic social engineering tactic persisted: impersonate a trusted identity, use a believable message, and lure the target to click a link. The only difference was the delivery medium. What began with instant messages on AOL moved to email, then to social networks, team collaboration tools, and messaging apps.

When the pandemic hit and people stayed home, waiting for parcel deliveries, SMS became the perfect channel. Criminals realised how fast, low-cost, and easy it was to bypass conventional security and reach people directly. SMS traffic soared, and phishing with it. What started as a niche tactic turned into a global epidemic. Phishing began in 1996 and stayed under the radar until SMS phishing surged in 2019, becoming the world’s leading attack method by 2024.

Animated-style line graph showing the timeline of phishing from 1996 to 2025, highlighting the explosive rise of SMS phishing from 2019 onwards.

Cybercrime is expected to surge from $1 trillion to $15 trillion annually by 2029, with 90% of attacks still starting with phishing. What began on desktops has moved to mobile, where most phishing now takes place. In 2024, ProofPoint confirmed SMS had overtaken email as the top phishing channel. Today, 83% of new phishing sites target mobile users. That makes SMS links the single most effective tool for criminals, but the good news is that it’s also the single chokepoint to stop most fraud, identity theft, account takeovers, ransomware, and data breaches before they happen.

Phishing has evolved only in where it reaches people, not in how it deceives them. The defensive model has barely advanced either. The world still relies on detection-based tools that react to known threats instead of verifying authenticity before trust is given. The problem that started in the 1990s remains the same today: people can’t tell what’s real and what’s fake before it’s too late, and their security controls can’t either.

The Rise and Fall of Website Identity

The story of website identity also began in the mid-1990s when the internet was open, unencrypted, and inherently untrustworthy. Netscape introduced SSL, not to defeat hackers but to enable commerce. Banks, card networks, and merchants needed a way to make online payments feel safe. Encryption offered confidentiality, while the visual indicator of the padlock created psychological reassurance. In effect, SSL manufactured digital trust so that e-commerce could exist.

As online transactions grew, the Certificate Authority (CA) industry emerged to formalise this reassurance. Website identity verification became a service rather than a built-in property of the web. Early certificates proved only that a site could encrypt data, not that it belonged to who it claimed. Banks and e-commerce firms accepted this compromise because it reduced liability and helped drive adoption. The web was becoming more secure in appearance, if not in truth.

By the early 2000s, Domain Validation (DV) certificates lowered costs and simplified issuance. Automation made it possible for anyone, including criminals, to obtain the same visual trust indicators as legitimate businesses. The motivation was convenience and scalability, not consumer protection. Encryption spread, but website identity verification weakened.

Bar and line chart showing the rise in free SSL certificates issued by Let’s Encrypt alongside the increase in new phishing scams from 2016 to 2019.

As free SSL certificates became more widely available through Let’s Encrypt, phishing scams grew in parallel, showing that HTTPS is no longer a reliable indicator of website safety.

In 2007, Extended Validation (EV) certificates attempted to restore integrity. They introduced rigorous checks on an organisation’s legal identity and displayed the company name in green within the browser’s address bar. This was meant to help people distinguish genuine banks and retailers from impostors. Yet, while EV satisfied compliance officers, it failed to influence behaviour. The cues were too subtle, inconsistent across browsers, and rarely explained to ordinary users. Few websites adopted EV, and those that did blended in with the overwhelming number that did not. Over time, the visual differences lost meaning, and people stopped paying attention. What was meant to signal authenticity became background noise.

Then came the next turning point: the HTTPS Everywhere movement. Beginning around 2016, browser makers and major tech platforms pushed for universal encryption, largely for privacy, data protection, and ecosystem stability. Free services like Let’s Encrypt made DV certificates ubiquitous. By 2019, nearly all web traffic was encrypted, and browsers quietly removed visual identity indicators entirely.

Bar and line chart showing the rise in free SSL certificates issued by Let’s Encrypt alongside the increase in new phishing scams from 2016 to 2019.

As free SSL certificates became more widely available through Let’s Encrypt, phishing scams grew in parallel, showing that HTTPS is no longer a reliable indicator of website safety.

This marked the end of website identity as a visible concept. The padlock, once a symbol of safety, now meant only that data was encrypted. Without any user-facing assurance of who owned a site, trust reverted to instinct. Consumers were left to rely on gut feelings, brand familiarity, or design cues – precisely the weaknesses phishing exploits.

The life of website identity can therefore be seen as a cycle. It began as a tool to build confidence in digital commerce, matured into a regulated trust industry, then dissolved into background infrastructure. What was designed to help people recognise legitimate websites ultimately left them blind to authenticity. When identity vanished from browsers, phishing began to explode even more.

The Rebirth of Website Identity Through a Zero Trust Approach

Today, website identity is rising again. It’s re-emerging through a new Zero Trust approach to web links – a concept pioneered by my team at MetaCert.

This approach treats every URL as untrusted until it’s explicitly verified as legitimate. It doesn’t depend on detection, machine learning, AI, content scanning or any other kind of threat detection. Instead, it restores the missing layer of digital trust by verifying legitimacy before a person interacts with a link. It’s a holistic framework we hope the wider security industry will embrace, not a proprietary feature or sales idea.

The ability to check links across all apps and services on mobile is one implementation of this concept. I believe it’s time for people to take the green shield concept to text messages, email, apps, QR codes, and browsers on their phone, where 83% of phishing occurs. It’s time to make it easy for people to verify the legitimacy of web links before they open them, whether inside a browser or an in-app WebView.

It brings visible, verifiable identity back to the modern digital experience—not just for e-commerce, but for every form of communication. We’re now scaling this model globally through partnerships with banks, payment companies, and mobile operators. The first we can name is Mackie Mobile, with more information to follow soon. Mackie Mobile will be the first mobile carrier built around protection (security and privacy) rather than just connectivity. Its founding team includes former special operations and diplomatic professionals who understand what it takes to protect people with military-grade thinking and technology. They take security and privacy so seriously that customer protection is going to be their main unique selling point.

For me, this is full circle. The problem that began on AOL – where people like me were first impersonated – has found its modern counterpart in mobile telecommunications. The same flaw persists: people can’t see what’s real, and neither can their security controls. The difference is that, this time, we can fix it.

The Present and Future

“Stay vigilant has become the cybersecurity equivalent of thoughts and prayers.”

Despite massive investment in detection technologies and hundreds of billions spent on cybersecurity each year, phishing remains the most effective and widespread entry point for most online fraud and targeted cyberattacks. Apart from deepfake videos and voice, most phishing is not new, evolving, or more sophisticated. The conventional approach is clearly unreliable, proven by the fact that people are still told to “stay vigilant” and “check suspicious links.”

Stay vigilant has become the cybersecurity equivalent of thoughts and prayers. It shifts responsibility to individuals instead of fixing the core architectural flaw. That’s not a strategy for the future of trust, reputation, banking, online retail, or data protection.

Why Understanding the Origin Matters

Phishing didn’t start as a technical exploit but as a psychological one. The first phishers proved that you don’t need to break-in, when it’s faster, cheaper, and easier to log-in. Knowing where it began reminds us that solving it requires more than filters and AI detection. The world doesn’t need more security, it needs a different kind of security. It demands a way to authenticate what’s real before people decide to place their trust in a website, login page, payment request, app download, AI chatbot, invoice, or social media account.

So the real question now is this: after 30 years of phishing and endless advice to stay alert, what if the answer was simply being told what’s verified as legitimate?

What do you want for the people you care about? Should they be left to stay vigilant and hope they never fall for a new phishing trick, or should they have tools that make it easy to check if a message or link is legitimate before they place their trust in it?

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay informed with MetaCert’s latest updates, expert analysis, and real examples exposing how digital deception works and how it can be stopped.

Stay tuned with MetaCert’s insights on how online deception really works and what must change to end it.
Screenshot of an old AOL Instant Messenger phishing message prompting the user to download a new version via a link.

The Evolution of Phishing and the Return of Digital Trust

Phishing has shaped the internet more than any other online threat. It began with simple impersonation on AOL and has since adapted to every new communication platform, from email to mobile messaging. Yet, despite decades of technological progress, the technique itself has barely changed. What’s different today is not how phishing works, but where it finds people.

This article traces the story of phishing from its origins in the mid-1990s to the present day, exploring how trust on the web was first built, then lost, and now being rebuilt through a new approach known as Zero Trust for web links – a concept my team at MetaCert pioneered. This isn’t a sales pitch or product announcement; it’s a return to first principles. After being one of the first people ever impersonated online, I’ve come full circle. What began as a personal experience of deception on AOL has evolved into a mission to make trust visible again.

The Origins of Phishing

Phishing is the act of impersonating a trusted person or organisation to deceive someone into taking an action that benefits the attacker, usually clicking a link that leads to them sharing credentials, installing dangerous software, or transferring money. The word itself comes from the idea of fishing for victims with bait, and the deliberate use of “ph” reflects its early connection to the hacker subculture that grew out of phone-phreaking in the 1990s. (Wikipedia)

Where It Began

Phishing as we know it first appeared around 1996 within the America Online (AOL) ecosystem. At that time, millions of people were coming online for the first time, and AOL had become the internet’s main gateway. Attackers began creating fake AOL login pages and sending instant messages that appeared to be from AOL staff, asking members to “verify” their passwords or billing information.

These early impersonators were often teenagers experimenting with social engineering rather than professional criminals. One figure stands out: Koceilah Rekouche, known by the alias “Da Chronic.” In the mid-1990s, Rekouche developed a software tool called AOHell for the AOL platform. Among its features were automated password-stealing and social engineering routines that allowed anyone to phish with a single click. What began as “click a button to phish for passwords” soon evolved into the first mass social engineering campaigns. That shift, from technical exploit to psychological manipulation combined with automation, explains why phishing remains so effective today.

A Personal View from the Front Line

At the time, I was part of the AOL New Technologies team, where I worked as the Technical Accounts Manager and International Beta Coordinator for AOL UK, helping to launch products such as AOL Instant Messenger, the first consumer messaging service. It was within that environment that I became one of the first people to be impersonated online. This was where people were first tricked on the internet, a defining moment that revealed how easily trust could be exploited before technical protections existed.

How People Were Tricked

Early victims were deceived by authority. Attackers posed as AOL staff, claiming an account problem or billing issue and asking for credentials. There was no shared understanding of online identity at the time, and official-looking messages or familiar phrasing were enough to convince people they were dealing with AOL itself.

Why It Worked

Phishing succeeded because people were unable to tell the difference between a legitimate message and a well crafted fake one. The concept of online impersonation was new, and systems had no authentication mechanisms to verify who was really behind a message. It exposed a weakness that still exists today: people trust what looks familiar or expected, especially when a message appears to come from someone or something they already know.

From Experiment to Industry

Once email became the dominant communication channel, phishing spread beyond AOL. By the early 2000s, professional criminals replaced hobbyists, targeting banks and payment providers. The first large-scale campaigns impersonated institutions such as Citibank and eBay, directing people to cloned login pages. These operations marked the transition from curiosity-driven mischief to organised financial crime.

But while the platforms changed, the technique did not. The same basic social engineering tactic persisted: impersonate a trusted identity, use a believable message, and lure the target to click a link. The only difference was the delivery medium. What began with instant messages on AOL moved to email, then to social networks, team collaboration tools, and messaging apps.

When the pandemic hit and people stayed home, waiting for parcel deliveries, SMS became the perfect channel. Criminals realised how fast, low-cost, and easy it was to bypass conventional security and reach people directly. SMS traffic soared, and phishing with it. What started as a niche tactic turned into a global epidemic. Phishing began in 1996 and stayed under the radar until SMS phishing surged in 2019, becoming the world’s leading attack method by 2024.

Animated-style line graph showing the timeline of phishing from 1996 to 2025, highlighting the explosive rise of SMS phishing from 2019 onwards.

Cybercrime is expected to surge from $1 trillion to $15 trillion annually by 2029, with 90% of attacks still starting with phishing. What began on desktops has moved to mobile, where most phishing now takes place. In 2024, ProofPoint confirmed SMS had overtaken email as the top phishing channel. Today, 83% of new phishing sites target mobile users. That makes SMS links the single most effective tool for criminals, but the good news is that it’s also the single chokepoint to stop most fraud, identity theft, account takeovers, ransomware, and data breaches before they happen.

Phishing has evolved only in where it reaches people, not in how it deceives them. The defensive model has barely advanced either. The world still relies on detection-based tools that react to known threats instead of verifying authenticity before trust is given. The problem that started in the 1990s remains the same today: people can’t tell what’s real and what’s fake before it’s too late, and their security controls can’t either.

The Rise and Fall of Website Identity

The story of website identity also began in the mid-1990s when the internet was open, unencrypted, and inherently untrustworthy. Netscape introduced SSL, not to defeat hackers but to enable commerce. Banks, card networks, and merchants needed a way to make online payments feel safe. Encryption offered confidentiality, while the visual indicator of the padlock created psychological reassurance. In effect, SSL manufactured digital trust so that e-commerce could exist.

As online transactions grew, the Certificate Authority (CA) industry emerged to formalise this reassurance. Website identity verification became a service rather than a built-in property of the web. Early certificates proved only that a site could encrypt data, not that it belonged to who it claimed. Banks and e-commerce firms accepted this compromise because it reduced liability and helped drive adoption. The web was becoming more secure in appearance, if not in truth.

By the early 2000s, Domain Validation (DV) certificates lowered costs and simplified issuance. Automation made it possible for anyone, including criminals, to obtain the same visual trust indicators as legitimate businesses. The motivation was convenience and scalability, not consumer protection. Encryption spread, but website identity verification weakened.

Bar and line chart showing the rise in free SSL certificates issued by Let’s Encrypt alongside the increase in new phishing scams from 2016 to 2019.

As free SSL certificates became more widely available through Let’s Encrypt, phishing scams grew in parallel, showing that HTTPS is no longer a reliable indicator of website safety.

In 2007, Extended Validation (EV) certificates attempted to restore integrity. They introduced rigorous checks on an organisation’s legal identity and displayed the company name in green within the browser’s address bar. This was meant to help people distinguish genuine banks and retailers from impostors. Yet, while EV satisfied compliance officers, it failed to influence behaviour. The cues were too subtle, inconsistent across browsers, and rarely explained to ordinary users. Few websites adopted EV, and those that did blended in with the overwhelming number that did not. Over time, the visual differences lost meaning, and people stopped paying attention. What was meant to signal authenticity became background noise.

Then came the next turning point: the HTTPS Everywhere movement. Beginning around 2016, browser makers and major tech platforms pushed for universal encryption, largely for privacy, data protection, and ecosystem stability. Free services like Let’s Encrypt made DV certificates ubiquitous. By 2019, nearly all web traffic was encrypted, and browsers quietly removed visual identity indicators entirely.

Bar and line chart showing the rise in free SSL certificates issued by Let’s Encrypt alongside the increase in new phishing scams from 2016 to 2019.

As free SSL certificates became more widely available through Let’s Encrypt, phishing scams grew in parallel, showing that HTTPS is no longer a reliable indicator of website safety.

This marked the end of website identity as a visible concept. The padlock, once a symbol of safety, now meant only that data was encrypted. Without any user-facing assurance of who owned a site, trust reverted to instinct. Consumers were left to rely on gut feelings, brand familiarity, or design cues – precisely the weaknesses phishing exploits.

The life of website identity can therefore be seen as a cycle. It began as a tool to build confidence in digital commerce, matured into a regulated trust industry, then dissolved into background infrastructure. What was designed to help people recognise legitimate websites ultimately left them blind to authenticity. When identity vanished from browsers, phishing began to explode even more.

The Rebirth of Website Identity Through a Zero Trust Approach

Today, website identity is rising again. It’s re-emerging through a new Zero Trust approach to web links – a concept pioneered by my team at MetaCert.

This approach treats every URL as untrusted until it’s explicitly verified as legitimate. It doesn’t depend on detection, machine learning, AI, content scanning or any other kind of threat detection. Instead, it restores the missing layer of digital trust by verifying legitimacy before a person interacts with a link. It’s a holistic framework we hope the wider security industry will embrace, not a proprietary feature or sales idea.

The ability to check links across all apps and services on mobile is one implementation of this concept. I believe it’s time for people to take the green shield concept to text messages, email, apps, QR codes, and browsers on their phone, where 83% of phishing occurs. It’s time to make it easy for people to verify the legitimacy of web links before they open them, whether inside a browser or an in-app WebView.

It brings visible, verifiable identity back to the modern digital experience—not just for e-commerce, but for every form of communication. We’re now scaling this model globally through partnerships with banks, payment companies, and mobile operators. The first we can name is Mackie Mobile, with more information to follow soon. Mackie Mobile will be the first mobile carrier built around protection (security and privacy) rather than just connectivity. Its founding team includes former special operations and diplomatic professionals who understand what it takes to protect people with military-grade thinking and technology. They take security and privacy so seriously that customer protection is going to be their main unique selling point.

For me, this is full circle. The problem that began on AOL – where people like me were first impersonated – has found its modern counterpart in mobile telecommunications. The same flaw persists: people can’t see what’s real, and neither can their security controls. The difference is that, this time, we can fix it.

The Present and Future

“Stay vigilant has become the cybersecurity equivalent of thoughts and prayers.”

Despite massive investment in detection technologies and hundreds of billions spent on cybersecurity each year, phishing remains the most effective and widespread entry point for most online fraud and targeted cyberattacks. Apart from deepfake videos and voice, most phishing is not new, evolving, or more sophisticated. The conventional approach is clearly unreliable, proven by the fact that people are still told to “stay vigilant” and “check suspicious links.”

Stay vigilant has become the cybersecurity equivalent of thoughts and prayers. It shifts responsibility to individuals instead of fixing the core architectural flaw. That’s not a strategy for the future of trust, reputation, banking, online retail, or data protection.

Why Understanding the Origin Matters

Phishing didn’t start as a technical exploit but as a psychological one. The first phishers proved that you don’t need to break-in, when it’s faster, cheaper, and easier to log-in. Knowing where it began reminds us that solving it requires more than filters and AI detection. The world doesn’t need more security, it needs a different kind of security. It demands a way to authenticate what’s real before people decide to place their trust in a website, login page, payment request, app download, AI chatbot, invoice, or social media account.

So the real question now is this: after 30 years of phishing and endless advice to stay alert, what if the answer was simply being told what’s verified as legitimate?

What do you want for the people you care about? Should they be left to stay vigilant and hope they never fall for a new phishing trick, or should they have tools that make it easy to check if a message or link is legitimate before they place their trust in it?

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay informed with MetaCert’s latest updates, expert analysis, and real examples exposing how digital deception works and how it can be stopped.

Stay tuned with MetaCert’s insights on how online deception really works and what must change to end it.

Recent blog posts