What is Phishing?
In computing, phishing is the luring of sensitive information, such as passwords and other personal information, from a victim by masquerading as someone trustworthy with a real need for such information. It is a form of social engineering attack.
Phishing is a type of deception designed to steal your identity. In a phishing scam, a malicious person tries to get information like credit card numbers, passwords, account information, or other personal information from you by convincing you to give it to them under false pretenses. Schemes usually come viaspam e-mail or pop-up windows.
The term was coined in the mid 1990's by crackers attempting to steal AOL accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password, for instance to "verify your account" or to "confirm billing information". Once the victim gave over the password, the attacker could access the victim's account and use it for criminal purposes, such as spamming.
The term "phishing" is sometimes said to stand for password harvesting fishing, though this is likely a backronym, a retroactively-coined acronym. Still other theories accredit the term "phishing" to originate from the name "Brian Phish" who was the first to allegedly use psychological techniques to steal credit card numbers in the 1980s. Others believe that "Brian Phish" was not a real person but a fictional character used by scammers to identify each other.
Today, online criminals put phishing to more directly profitable uses. Popular targets are users of online banking services, and auction sites such as eBay. They usually work by sending out spam e-mail to large numbers of potential victims. These direct the recipient to a Web page which appears to belong to their online bank, for instance, but in fact captures their account information for the attacker's use.
Typically, a scam email will appear to come from a trustworthy company and contain a subject and message intended to alarm the recipient into taking action. A common approach is to tell the recipient that their account has been de-activated due to a problem and inform them that they must take action to re-activate their account. The user is provided with a convenient link in the same email that takes the email recipient to a fake webpage appearing to be that of a trustworthy company. Once at that page, the user enters her personal information which is then captured by the fraudster.
Checking the URL in the address bar of the browser may not be sufficient, as, in some browsers, that can be faked as well. However, the file properties feature of several popular browsers may disclose the real URL of the fake webpage.
If you are contacted about an account needing to be "verified," you should contact the company directly, or type in the address for their webpage.
Be especially concerned about an address containing the "@" symbol, for example: http://email@example.com/ These addresses will attempt to connect as a user "www.google.com" to the server "members.tripod.com". This will very likely succeed even if the user does not exist, and the first part of the link may look legitimate. The same is true for misspelled URLs or subdomains, for example: http://www.yourbank.com.spam.net
Phishing Hole Discovered in Internet Explorer
Avoiding a Phishing attack
Pharming for Your Identity
Phishing Flaw in Alternate Browsers