Phishing is a technique used by identity thieves to steal your personal information, usually so they can gain access to financial accounts.
To understand phishing, let's consider what fishing is. A fisherman casts a line out in the water repeatedly with a lure attached. The lure is a deceiving piece of gear that looks like a tasty smaller fish, but it's actually a nasty hook. Eventually, the lure catches the attention of a fish, which then bites it. The fooled fish is then reeled in on a hook and meets its demise in a frying pan with a sprig of dill.
Phishing is kind of the same, but without the dill. The phisher uses email (or sometimes a pop-up message on the Web) as his lure. He casts out zillions of emails that are designed to trick the recipients into giving up personal information such as user IDs and passwords used to access their bank accounts.
Phishers use a variety of emails to fool their unsuspecting victims. One of the most common is the email that claims to be from a business or organization you deal with: perhaps your Internet service provider, an online payment service, or a government agency. Very often phishers pretend to be your bank.
The email includes realistic company branding and logos and reads like typical communication from the real institution (see Figure 4.1). This sometimes includes, ironically, warnings about protecting yourself from fraud.
Figure 4.1. This email appears to be from Washington Mutual. Clicking on the link, however, would lead to a website run by a phisher, who is trying to gather personal banking information.
Notice that this email, purportedly from a legitimate banking institution, asks the recipient to enter sensitive, personal informationsomething reputable banks do not request via email. The email asks for validation of personal information including account numbers , user IDs, and passwords. It asks you to click on an included link that takes you to the institution's website so you can enter your information. Of course, it also looks exactly like the institution's website, but it, too, is bogus .
Although many phishers pretend to be major global banks, they have been known to use regional credit unions and community banks. Among other favorites are online companies such as eBay or PayPal (see Figure 4.2).
Figure 4.2. This email looks like it came from eBay, an online auction website. However, it secretly directs the recipient to a website with a Russian web address.
Notice that this email redirects to a suspicious website address in Russia and not eBay. The consequences to not providing the requested information are fairly dire and are a good indicator that this email isn't what it seems.