What is phishing? -�IT Security

Home��Where�to�begin��Phishing,�proxy�services�and�identity�theft��What�is�phishing?

What is phishing?

"Phishing" is a serious privacy threat that actually is quite simple in concept. The person doing the phishing ("phisher") contacts an individual by phone or e-mail, asking for personal information, such as social security number, date of birth, passwords, etc.� And, if any targeted individual provides such information, it could be used for identity theft purposes or to compromise system security.�

It is important to keep in mind that reputable organizations do not normally contact their customers asking for personal information.

Phishers are quite adept at gaining their victim's confidence.� The person making contact over the phone sounds official.� The phishing e-mail message has a corporate look and feel, including company logos.� A credible explanation as to why the information is needed is included in the communication.� For example, they may claim that they are verifying the organization's records, they need to reconstruct their database due to a computer system failure or upgrade, they are going to close your account unless you respond providing your personal information for verification, they are offering a new service and they want you to verify your identity to obtain it, and many others.

Most of today's attacks arrive via e-mail which gives the phisher broad coverage and a number of additional options for fooling intended victims. � Typically, the phisher sends an e-mail message to a large group of individuals whose addresses he or she has captured from address books and websites across the Internet.� The message, usually well-crafted and official-looking, may claim to be from a financial institution, a service provider, or any other organization known by the recipient. The e-mail message asks the recipient to confirm or provide some personal information. Often, the recipient is asked to provide the information by clicking a website link in the e-mail. But while the link to the website may look legitimate, e.g., www.princeton.edu, the link that is displayed is not necessarily the actual site you visit when you click on it.

Thus, a phisher can send you a link that appears to be to your bank's homepage (e.g., www.mybank.com) that actually points to a different site (e.g., www.nastyIDthieves.xyz) that he or she designed to look exactly like the official "mybank" website with spaces for you to enter whatever pieces of personal information they are hoping to obtain, e.g., your password, credit card number, PIN, social security number, date of birth, or other personal information. When you click the "submit" button, all the personal information that you entered is now exposed to individuals who can use that information to make purchases, open new credit accounts, take out loans, etc. - all in your name.

There have been other attacks using similar methods. A while ago, an e-mail message was sent by a malicious individual which looked like it came from a major software vendor. The e-mail asked the recipient to execute an attached file to apply an emergency patch to his or her system. When the recipient did, a virus was unleashed.