Phishing refers to a social engineering attack, where someone misrepresents their identity or authority in order to induce another person to provide personally identifiable information (PII) over the Internet. Internet scammers use e-mail bait to “phish” for passwords and personal financial data from the "sea" of Internet users.
|“||uses deceptive spam that appears to be coming from legitimate, well-known sources to trick consumers into divulging sensitive or personal information, such as credit card numbers, other financial data, or passwords.||”|
|“||[is a] high-tech scam that frequently uses spam or pop-up messages to deceive people into disclosing sensitive information. Internet scammers use e-mail bait to “phish” for passwords and financial information from the sea of internet users.||”|
|“||is a technique used to gain personal information for purposes of identity theft, using fraudulent e-mail messages that appear to come from legitimate businesses. These authentic-looking messages are designed to fool recipients into divulging personal data such as account numbers and passwords, credit card numbers and Social Security numbers.||”|
|“||[t]ricking individuals into disclosing sensitive personal information by claiming to be a trustworthy entity in an electronic communication (e.g., internet web sites).||”|
|“||[a] digital form of social engineering to deceive individuals into providing sensitive information.||”|
|“||[a] spoof that tricks people into divulging sensitive information such as usernames, passwords, or credit card numbers. Phishing can be carried out by email, over the phone, or with a website. The motives are generally to steal money or a user's identity.||”|
Phishing is a term that was coined in 1996 by U.S. hackers who were stealing America Online (“AOL”) accounts by scamming passwords from AOL users. The use of “ph” in the terminology traces back in the 1970s to early hackers who were involved in “phreaking,” or the hacking of telephone systems.
Typical phishing scams
Some common phishing scams involve e-mails that purport to be from a financial institution, Internet service provider (ISP), or other trusted company claiming that a person’s records have been lost or their account compromised. The e-mail directs the person to a website that mimics the legitimate business' website and asks the person to enter a credit card number and other PII so the records or account can be restored. In fact, the e-mail or website is controlled by a third party who is attempting to extract information that will be used in identity theft or other crimes.
|“||As part of the email message, the recipient may is asked to click on a link to what appears like a legitimate website, but in fact is a URL that will take the recipient into a spoofed website set up by the adversary. On clicking in, the victim may also find that the sign-in page, logos and graphics are identical to the legitimate website in the adversary-controlled website, thereby creating the trust necessary to make the recipient submit the required information such as user ID and the password. Some attackers use web pages to deliver software exploits directly to the victim’s web browser.||”|
In a variant of this practice, victims receive e-mails warning them that to avoid losing something of value (e.g., Internet service or access to a bank account) or to get something of value, they must click on a link in the body of the e-mail to "reenter" or "validate" their personal data. Such phishing schemes often mimic financial institutions' websites and e-mails, and a number of them have even mimicked federal government agencies to add credibility to their demands for information.
The key point about phishing is that it works by means of social engineering — victims are persuaded to go to a fraudulent website, on which they themselves enter their personal information. No malware needs to be involved, and standard technical measures such as anti-virus software are of no use.
Although phishing emails were originally written in poor English and were relatively easy to detect, they have grown in sophistication, and millions of individuals have been misled. The number of phishing emails is enormous: in the second half of 2006 900-1,000 unique phishing messages, generating almost 8 million emails, were blocked by Symantec software alone on a typical working day — though according to MessageLabs, phishing still represents just 0.36 percent of total emails.
Phishing attacks can also involve the use of technical subterfuge schemes that plant malicious code, such as Trojan keylogger spyware, onto an individual's computer without the individual's awareness and steal personal information directly.
Additional phishing scams include:
- Using a "From" address that looks very close to one of the legitimate addresses the user is familiar with or from someone claiming to be an authority (IT administrator, manager, etc.).
- Presenting to the recipient an alarm, a financial lure, or otherwise attractive situation, that either makes the recipient panic or tempts the recipient into taking an action or providing requested information.
- Sending the email from an email using a legitimate account holder's software or credentials, typically using a bot that has taken control of the email client or malware that has stolen the user's credentials.
Phishing attacks aid criminals in a wide range of illegal activities, including identity theft and fraud. They can also be used to install malware and attacker tools on a user's system. Common methods of installing malware in phishing attacks include phony banner advertising and pop-up windows on websites. Users who click on the fake ads or pop-up windows may unknowingly permit keystroke loggers to be installed on their systems. These tools can allow a phisher to record a user's personal data and passwords for any and all websites that the user visits, rather than just for a single website.
How it works
A classic phishing attack using e-mail is as follows:
- Step 1. The phisher sends the potential victim an e-mail that appears to be from the person’s bank or other organization that would have the victim's personal information on the user. The phisher carefully uses the colors, graphics, logos and wording of the existing company.
- Step 2. The potential victim reads the e-mail and takes the bait by providing the phisher with personal information by either responding to the [[e-mail or clicking on a legitimate-looking link and providing the information via a form on a website that appears to be from the bank or organization in question.
- Step 3. This fake website or e-mail sends the victim’s personal information directly to the phisher.
Steps in a phishing attack
The steps are:
- 0. The phisher prepares for the attack. Step 0 countermeasures include monitoring malicious activity to detect a phishing attack before it begins.
- 1. A malicious payload arrives through some propagation vector. Step 1 countermeasures involve preventing a phishing message or security exploit from arriving.
- 2. The user takes an action that makes him or her vulnerable to an information compromise. Step 2 countermeasures involve detecting phishing tactics and rendering phishing messages less deceptive.
- 3. The user is prompted for confidential information, either by a remote web site or locally by a Web Trojan. Step 3 countermeasures are focused on preventing phishing content from reaching the user.
- 4. The user compromises confidential information. Step 4 countermeasures concentrate on preventing information from being compromised.
- 5. The confidential information is transmitted from a phishing server to the phisher. Step 5 countermeasures involve tracking information transmittal.
- 6. The confidential information is used to impersonate the user. Step 6 countermeasures center on rendering the information useless to a phisher.
- 7. The phisher engages in fraud using the compromised information. Step 7 countermeasures focus on preventing the phisher from receiving money.
- Do not reply to email messages or popup ads asking for personal or financial information.
- Do not trust telephone numbers in e-mails or popup ads. Voice over Internet Protocol technology can be used to register a telephone with any area code.
- Use antivirus, anti-spyware, and firewall software. These can detect malware on a user’s machine that is participating in a phishing attack.
- Do not email personal or financial information.
- Review credit card and bank account statements regularly.
- Be cautious about accessing untrusted Web sites because some Web browser vulnerabilities can be exploited simply by visiting such sites. Users should also be cautious about opening any attachment or downloading any file from untrusted emails or Web sites.
- Forward phishing-related emails to firstname.lastname@example.org and to the organization that is impersonated in the email.
- Request a copy of your credit report yearly from each of the three credit reporting agencies: Equifax, TransUnion, and Experian. If an identity thief opens accounts in your name, they will likely show up on your credit report.
Additional steps include:
- Validating official communication by personalizing emails and providing unique identifying information that only the organization and user should know. However, confidential information should not be disclosed.
- Using digital signatures on e-mail. However, digital signatures may not be validated automatically by the user’s email application.
- Performing content validation within the Web application. Vulnerabilities in the organization’s Web applications may be used in a phishing attack.
- Personalizing Web content, which can aid users in identifying a fraudulent Web site.
- Using token-based or mutual authentication at the Web site to prevent phishers from reusing previous authentication information to impersonate the user.
- Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, at 37 n.174.
- The Smart Grid and Cybersecurity: Regulatory Policy and Issues, at 8 n.20.
- Computerworld (Jan. 19, 2004) (full-text).
- NIST Special Publication 800-82, at B-6.
- NICCS, Explore Terms: A Glossary of Common Cybersecurity Terminology (full-text).
- Cybersecurity A Primer for State Utility Regulators, App. B.
- NIST Special Publication 800-177, at 16.
- Symantec Internet Security Threat Report, July-December 2006 (full-text).
- MessageLabs 2006 Annual Security Report (full-text).
- Federal Trade Commission, How Not to Get Hooked by a Phishing Scam (Oct. 2006) (full-text).
- Under the Fair and Accurate Credit Transactions Act of 2003, consumers can request a free credit report from each of the three consumer credit reporting agencies once every 12 months.
- Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures, at 2.
- "Typical phishing scams" section: NIST Special Publication 800-177, at 16.
- Advisory on Registrar Impersonation Phishing Attacks
- Avoiding Social Engineering and Phishing Attacks
- Clone phishing
- Man-in-the-middle attack
- Nigerian 4-1-9 fraud
- Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures
- Report on Phishing
- Spam Summit: The Next Generation of Threats and Solutions
- State phishing laws