The warez community, which exchanged pirated software, was closely linked to phishing on AOL. The 1990s saw the rise of phishing on AOL. Initially, those who phished on AOL used algorithmically generated credit cards numbers that were fake to create accounts. These accounts could have been up to a few weeks in length. AOL introduced measures to stop this in 1995. However, the early crackers of AOL resorted to phishing to obtain legitimate accounts.



A phisher may pose as an AOL employee and send an instant message asking for the victim's password. To lure the victim, the message could include instructions such as "verify your account" and "confirm billing information". After the victim revealed their password, the attacker was able to access the victim's account and use it for criminal purposes such as spamming. AOL required customized programs such as AOHell to perform both warezing and phishing. AOL made phishing so common that they added a line to all instant messages saying: "No one at AOL will ask you for your password or billing information."


AOL's policy regarding phishing and warez was made more strict after 1997. This forced pirated software from AOL servers. AOL also developed a system that would quickly deactivate accounts in phishing attacks, often before victims could respond. Most phishers left AOL after the shutdown of the warez section, and many young phishers grew out of this habit.


Phishers may have used AOL account information to steal credit card information and then realized that online payment systems could be attacked. E-gold was the first victim of a direct attack on a payment system. This was followed by a "post-911 ID check" shortly after September 11th attacks. Although both were initially viewed as failures at the time, they can now be seen to be early attempts towards more successful attacks on mainstream banks. In 2004, phishing had become a fully industrialized sector of the crime economy. Specializations were created on a worldwide scale to provide components for cash that were then assembled into final attacks.


Phishing attacks do not always require a fake website. A message claiming to be from a bank instructed users to dial a number to report problems with their bank accounts. After the phone number was dialed (provided by Voice over IP), prompts instructed users to enter their account numbers, as well as their PIN. Voice phishing can sometimes use fake caller ID data to make it appear that the calls are coming from a trusted company.


Phishing can cause significant financial loss and denial of email access. This type of identity theft is growing in popularity due to the ease with which unsuspecting individuals often reveal personal information to phishers. Identity thieves may also be able to access public records and add this information to their knowledge. The phishers can use this information to create fake accounts under the victim's name. They may then use this information to ruin victims' credit or deny them access to their accounts.