Phishing, as the name implies, is when spam is used as means to "fish" for the credentials that are necessary to access and manipulate financial accounts. Invariably, the email will ask the recipient for an account number and the related password using an explanation that their records need updating or a security procedure is being changed that requires confirming an account. Unsuspecting email recipients that supply the information don't know it, but within hours or even minutes, unauthorised transactions will begin to appear on whatever account was compromised.
By now, most people know that giving this information away on the Internet is a no-no. With phishing, however, it's almost impossible to tell that the email is a fraud. Like spam, email from phishers usually contains spoofed From or Reply To addresses to make the email look as though it came from a legitimate company.
In addition to the spoofed credentials, the email is usually HTML-based. To an undiscerning eye, the email bears the authentic trademarks, logos, graphics, and URLs of the spoofed company. In many cases, the HTML page is coded to retrieve and use the actual graphics of the site being spoofed. Most of the phishing I've received pretends to come from PayPal and contains plainly visible URLs that make it look as though clicking on them will take me to PayPal's domain. Upon quick examination of the HTML tags behind the authentic looking link, the actual URL turns out to be an unrecognisable and cryptic looking IP address rather than an actual page within PayPal's domain.
PayPal, the payment subsidiary of EBay, is a common target of phishing. If you get one and you've never joined PayPal, then you obviously know it's a fraud. But if you are a PayPal member, as I am, the phisher has at that point broken through the unofficial security-by-obscurity layer that once protected you. It is not difficult to see how PayPal members could be victimised by this technique.
According to Antiphishing Working Group chairman David Jevans, PayPal isn't the only target of phishers. "In about 35 percent of all reported phishing attacks, Ebay's PayPal service is the biggest victim. But just about any financial institution, credit card issuer, retailer, or other business can be targeted. UK-based NatWest was phished badly in October 2003 and then even worse in December. The December attack was so bad that NatWest had to take down its site. Visa was another organisation that was targeted over the holidays."
At first blush, phishing appears to be sort of buyer-beware consumer issue since the emails themselves are prospecting for potential account holders to the spoofed institutions. Indeed, depending on the spoofed institution's policies, a consumer could end up eating a loss. "So far," said Jevans, "most of the transgressions against individuals have been in the hundreds of dollars because smaller transactions will sometimes go unnoticed for a while. But they go higher. The largest one on record so far is for $16,000 (£8,664). If the credentials obtained by a phisher are for a credit-card account, then the risk is usually absorbed by either card issuer or a merchant." This is when the hard dollar cost of phishing, which Jevans considers a form of identity theft, begins to be recognised by corporations and businesses instead of individuals.
