Phishing is an e-mail scam technique used by Internet fraudsters to entice unsuspecting consumers to divulge sensitive valuable information. Phishing schemes lead consumers to believe that they are responding to a bona fide e-mail request from a well-known institution to update their information.
A Typical Phishing Hoax Scenario:
- Numerous consumers receive a spam e-mail, purporting to be from a familiar institution such as a bank, persuading that they connect to a Web site by clicking on an enclosed link, and update their personal information, usually for "security" or "technical" reasons, to keep their accounts active.
- Some of the e-mail recipients believe the e-mail to be from a trusted source and unsuspectingly click on the link. The link then directs the recipients to an official looking, but forged, Web site that mirrors the legitimate company's logo and Web site layouts. An update screen in the spoof site, operated by the criminals, requires entry of sensitive private information, such as:
- Payment card account information
- Bank account details
- Passwords and personal identification numbers (PINs)
- A few unwary consumers provide the requested information. They think that they are responding to their financial institution or ecommerce provider, whose name the criminals are using in the e-mail.
- The criminals use the account information stolen from the phishing victims to commit a financial fraud, buying goods and services online or transferring funds from the victim's bank account. The criminals usually commit the fraud within a short time frame before it is detected.
Phishing schemes use sophisticated techniques to disguise the origin of their spam e-mails and the forged Web sites, so that it is hard to detect the hoax. Often, spammers exploit the Uniform Resource Locator (URL) "user authentication" syntax feature supported by some Internet browsers to cleverly cloak the fake Web site as an authentic site. This practice deceives the Internet users, because the fake Web site's URL displayed in the browser address bar matches that of a genuine Web site.
In some phishing instances, criminals request that the recipients download and install "security" software attached to the spam e-mail. If a recipient installs the software, the criminals can monitor the victim's computer and capture bank and payment card account details. The use of this mechanism, though low in relation to other mechanisms, recently is showing an increasing trend. In addition, spammers "take over" unsecured computers and servers and route spam e-mail via these to conceal the real e-mail source. The criminals use the victim's computer for launching spam e-mail distribution, unbeknownst to the victim.