What is Phishing?

"Phishing", short for password harvesting fishing, is the illegal practice of "luring" sensitive information, such as passwords and financial data, from a victim by masquerading as someone trustworthy with a legitimate need for such information. It is a form of "Social Engineering" attack, which exploits the weaknesses of human nature.

One type of "Phishing" is an Internet scam which uses "spoofed" (forged) e-mails and impersonated websites, designed to look like the e-mails and websites of well-known legitimate businesses and institutions, in order to deceive recipients into divulging sensitive information, such as account usernames and passwords, bank account numbers, credit card numbers, social security numbers, PINs, etc. Because the e-mails look genuine, recipients respond to them and become victims of identity theft and other fraudulent activity.

Phishing attempts are especially difficult to detect due to their sophistication and ability to mimic legitimate communications from businesses. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them. And, as the chart below indicates, phishing attacks are increasing.

Because Phishing involves the mass distribution of e-mail messages, if you can slow down the volume of spam, you can slow down the number of successful hits that phishing attacks make. "False Claims in Spam", a report (pdf format) by the Federal Trade Commission’s Division of Marketing Practices.

Statistics

 


Source: The Anti-Phishing Working Group (APWG)

 

"In the last year, phishing attacks targeted 57 million Internet users.
On average, three to five percent of all individuals who received a phishing e-mail fell victim to the fraud."
(Source: Verisign, June 28, 2004)

According to an article in TechNewsWorld on August 5, 2004 by John P. Mello Jr.: Phishing attacks increased 19 percent in June over May, according to a report released by the Anti-Phishing Working Group. Of the 1,422 new unique attacks, 92 percent of them used forged, or "spoofed," e-mail addresses.

According to a report by Zero Spam Network Corporation, the financial services sector remains the top target of phishers, garnering more than 1,000 of the new unique attacks. Citibank alone amassed 492 attacks, a 32 percent jump from the previous month.

According to MailFrontier in 2003 over 40% of recipients fell for a Citibank Email Phishing Scam.

According to Gartner, between May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered Phishing losses valued at $929 million.

Statistics from Verisign:
(Verisign processes over 30% of all e-commerce transactions in North America)

"Phishers [are] now ... using 'browser camouflage' techniques, such as floating a JavaScript window over an address bar. In addition, JavaScript windows can remain installed on a user’s browser to record information sent and received while that browser is active."   (June 28, 2004)

"VeriSign found the majority of phishing attacks were launched between 9:00 p.m. – 4:00 a.m., when IT staffers are often on call or fewer in numbers."   (June 28, 2004)

"In a sample of 490 phishing e-mails, targeting customers of 16 companies, VeriSign found that 93 percent were sent from forged or spoofed e-mail addresses; 5 percent came from sites making no attempt to disguise their destination, and 2 percent came from “cousin” sites, which closely mimic the company site they are seeking to imitate. 37 percent of phishing e-mails directed users to capture sites located outside the United States, with a concentration in Korea, China, Poland, Brazil, Taiwan, Singapore, Australia and Indonesia."   (June 28, 2004)

"Top countries by percentage of fraudulent transactions, determined by the origin of IP address, were led by Cameroon, with 100 percent of transactions determined as risky. Following Cameroon was Nigeria (96 percent), Indonesia (93 percent), and Slovenia (92 percent)."   (July 26, 2004)

Verisign Internet Security Intelligence Briefing - July, 2004 (pdf)
A bit on the technical side, but the statistics are worth noting.

How Phishing Works

Phishing has been effective because the fraudulent e-mails and websites appear so authentic. It is easy for criminals to copy trademarks and other content from legitimate businesses’ websites (referred to as "page-jacking") and place them into phishing e-mails and websites. If the e-mail recipient clicks on the link in the e-mail, even the address of the fake website displayed in the Internet browser appears to be that of the legitimate website.

Most phishing e-mails include false statements intended to create a sense of urgency, to convince the recipient to act before thinking. By claiming an immediate financial threat, such as reporting the recipients’ credit card is being used by another person, the perpetrator tricks recipients into disclosing their financial and personal data.

And while the message may seem to be addressed specifically to you, “spamming” (mass e-mailing) techniques are used to send the e-mail to thousands of people. Many of these people do not even have accounts with the actual business being impersonated, but the criminals who create phishing e-mails count on the fact that some recipients of these e-mails will have an account with that business, and may believe that the e-mail has come from a trusted source.

Ultimately, people who respond to phishing e-mails, and input the requested financial or personal information are putting their accounts and financial status at risk. Phishers can use the data to withdraw money from bank accounts, use the victims' existing lines of credit, or open new bank accounts or lines of credit in the victims’ names. Internet users may not realize that they have become victims of identity theft until they are contacted by creditors.

Technical information regarding the Cross-Site Scripting Web Vulnerability, which enables impersonated websites, from James Madison University

How To Protect Yourself From Malicious Email

If you receive a suspicious email message do not reply or click any links in the e-mail body!

Doing so may activate malicious code to capture key-strokes or install spyware. The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.

The U.S. Department of Justice recommends that Internet users follow three simple rules when they see e-mails or websites that may be part of a phishing scheme:

1. Hesitate.
Phishers typically include upsetting or exciting (but false) statements in their emails with one purpose in mind. They want people to react immediately to that false information, by clicking on the link and submitting the requested data before they have time to think through what they are doing. Resist the impulse to click immediately, and take the time to check out the information more closely.

2. Scrutinize.
Closely examine the claims made in the e-mail, and think about whether those claims make sense. Be highly suspicious if the e-mail asks for numerous items of personal information such as account number or social security number. For example, the e-mail indicates that it comes from your bank, but then requests that you enter your account information again. Legitimate banks and financial institutions already have their customers' account numbers in their records. Even if the e-mail says a customer's account is being terminated, the real bank or financial institution will still have that customer's account number and identifying information.

3. Verify.
If the e-mail or website purports to be from a legitimate company or institution where you do business, contact that company directly through an address or telephone number you know to be genuine, such as the phone number indicated on the back of your credit card or on your bank statement, and ask them whether the e-mail or website is actually from the company in question.

Identification: How to Recognize a Phishing Scam
(Recommended Reading)

How to Identify Spoofed Websites - Advice and technical information from Microsoft.

Library of the latest Spoof Email & Phishing Scams from the MillerSmiles.co.uk anti-phishing website.

Sample Phishing Emails & Websites from the MillerSmiles.co.uk anti-phishing website.

Sample Phishing Emails & Websites from MailFrontier

Microsoft	PayPal	eBay	US Bank	PayPal
Earthlink	Citibank	eBay	Paypal	Visa

Sample Phishing Emails from Bank Safe Online

Anti-Phishing Tools

Test your browser for vulnerability to URL Spoofing (a.k.a. URL Cloaking), which disguises the true destination of a link

URL Link Checker to verify URL link is not spoofed/cloaked (before you use it)

Spoofed URL Checker to determine if you are at a web page that is exploiting this vulnerability

SpoofStick is a free web browser extensions from CoreStreet that helps detect spoofed (fake) websites

The Netcraft Toolbar blocks known spoofed (fake) website, traps suspicious charaters in URLs, shows the country where the website is located, and presents a "Risk Rating" for each website.

Anti-Phishing Resources
(Recommended Reading)

What You Need to Know About Phishing - Information from Microsoft's "Security At Home" website

Beginner's Guide to Phishing from the MillerSmiles.co.uk anti-phishing website.

Guide to Phishing from the MillerSmiles.co.uk anti-phishing website.

Online Identity Theft from the MillerSmiles.co.uk anti-phishing website.

FraudWatch International website (spawns a pop-up ad)

How to Avoid Phishing Scams - Advice from The Anti-Phishing Working Group

Archive of Phishing Scams from The Anti-Phishing Working Group
Check this list to see if the source of the email you received is the target of a phishing scam.




Verification Sources:

A number of legitimate companies and financial institutions that have been targeted by phishing schemes have published contact information for reporting possible phishing emails, as well as online notices about how their customers can recognize and protect themselves from phishing:

Citibank

US Bank

eBay and PayPal