Phishing

Overview
Phishing refers to a practice where someone misrepresents their identity or authority in order to induce another person to provide personally identifiable information (PII) over the Internet. Internet scammers use e-mail bait to “phish” for passwords and financial data from the sea of Internet users.

Some common phishing scams involve e-mails that purport to be from a financial institution, Internet service provider (ISP), or other trusted company claiming that a person’s records have been lost or their account compromised. The e-mail directs the person to a website that mimics the legitimate business’ website and asks the person to enter a credit card number and other PII so the records or account can be restored. In fact, the e-mail or website is controlled by a third party who is attempting to extract information that will be used in identity theft or other crimes.

In a variant of this practice, victims receive e-mails warning them that to avoid losing something of value (e.g., Internet service or access to a bank account) or to get something of value, they must click on a link in the body of the e-mail to “reenter” or “validate” their personal data. Such phishing schemes often mimic financial institutions’ websites and e-mails, and a number of them have even mimicked federal government agencies to add credibility to their demands for information.

The key point about phishing is that it works by means of social engineering &mdash; victims are persuaded to go to a fraudulent website, on which they themselves enter their personal information. No malware needs to be involved, and standard technical measures such as anti-virus software are of no use.

Although phishing emails were originally written in poor English and were relatively easy to detect, they have grown in sophistication, and millions of individuals have been misled. The number of phishing emails is enormous: in the second half of 2006 900-1,000 unique phishing messages, generating almost 8 million emails, were blocked by Symantec software alone on a typical working day &mdash; though according to MessageLabs, phishing still represents just 0.36 percent of total emails.

Phishing attacks can also involve the use of technical subterfuge schemes that plant malicious code, such as Trojan keylogger spyware, onto an individual’s computer without the individual’s awareness and steal personal information directly.

Phishing attacks aid criminals in a wide range of illegal activities, including identity theft and fraud. They can also be used to install malware and attacker tools on a user's system. Common methods of installing malware in phishing attacks include phony banner advertising and pop-up windows on websites. Users who click on the fake ads or pop-up windows may unknowingly permit keystroke loggers to be installed on their systems. These tools can allow a phisher to record a user's personal data and passwords for any and all websites that the user visits, rather than just for a single website.