How Phishing Works

Suppose you check your e-mail one day and find this message in your inbox:

Phishing is a method of identity theft.  See more phishing pictures.

You have an account with HSW Bank, and you've gotten e-mail from them before. But this one seems suspicious, especially since it threatens to close your account if you don't reply immediately. What do you do?

This message and others like it are examples of phishing, a method of online identity theft. In addition to stealing personal and financial data, phishers can infect computers with viruses and convince people to participate unwittingly in money laundering. In this article, we'll examine the common traits of phishing schemes and the technological tricks that phishers use to deceive people and software.

Phishing Facts 13,776 phishing attacks linked to 5,259 Web sites took place in August of 2005. They targeted 84 different businesses, but three businesses received 80 percent of the attacks. 85 percent of the attacks targeted banks and other financial institutions. Source: AntiPhishing.org

Most people associate phishing with e-mail messages that spoof, or mimic, banks, credit card companies or other business like Amazon and eBay. These messages look authentic and attempt to get victims to reveal their personal information. But e-mail messages are only one small piece of a phishing scam.

Phishing Origins The first documented use of the word "phishing" took place in 1996. Most people believe it originated as an alternative spelling of "fishing," as in "to fish for information" [ref].

From beginning to end, the process involves:

1. Planning. Phishers decide which business to target and determine how to get e-mail addresses for the customers of that business. They often use the same mass-mailing and address collection techniques as spammers.
2. Setup. Once they know which business to spoof and who their victims are, phishers create methods for delivering the message and collecting the data. Most often, this involves e-mail addresses and a web page.
3. Attack. This is the step people are most familiar with -- the phisher sends a phony message that appears to be from a reputable source.
4. Collection. Phishers record the information victims enter into web pages or popup windows.
5. Identity Theft and Fraud. The phishers use the information they've gathered to make illegal purchases or otherwise commit fraud. As many as a fourth of the victims never fully recover [Source: Information Week].

If the phisher wants to coordinate another attack, he evaluates the successes and failures of the completed scam and begins the cycle again.

Phishing scams take advantages of software and security weaknesses on both the client and server sides. But even the most high-tech phishing scams work like old-fashioned con jobs, in which a hustler convinces his mark that he is reliable and trustworthy. Next, we'll look at the steps phishers take to convince victims that their messages are legitimate.