Most types of threats to computer users usually involve direct attacks on a computer, targeting physical vulnerabilities of a computer’s operating system and other software. Phishing, on the other hand, relies solely on the computer user’s own vulnerabilities, namely the same emotions and ignorance that allows people to be taken in by non-electronic confidence schemes.
In the digital world, phishing is any attempt to defraud a computer user by pretending to be a reputable source. This can be done through e-mails, on a fake Web site, or a combination of the two. The end result of phishing can range from a person giving away their login and password information, or giving out their credit card information, or in the most severe cases, kidnapping or murder.
Unlike malware such as viruses, worms, and rootkits, which may look to either damage computers or open a back door for identity thieves, phishing attempts always seek to commit identity theft and nothing else.
The term “phishing,” by most accounts, is a combination of “fishing” (as in baiting a hook with a fraudulent e-mail) and “phreaking,” a form of phone-based fraud.
Phishing is a form of social engineering. Social engineering is the act of manipulating a person into giving out sensitive information, rather than by outright stealing the information.
One way to look at the difference is to compare phishing to another computer attack: keylogging. With keylogging, a cybercriminal physically breaks into a computer to implant a program that can record the text that the unsuspecting user types, especially information such as passwords and credit card numbers. On the other hand, a phishing e-mail may try to trick the computer user into thinking that their bank needs to verify their account login and password.
Examples of Phishing
Some of the earliest wide-spread phishing attacks occurred via AOL. Phishers would pretend to be AOL staff, and using the in-house instant messaging system, ask AOL members to verify their login and password. This would allow the phisher to log in under this account, having access to other account information (such as a credit card number), or to set up a base to send spam e-mails. Even after AOL inserted text warning that AOL staff would never ask for account information, some people still fell for the phishing. What made matters worse was when AOL opened up their instant messaging program to non-AOL account users. This allowed phishers to attempt the same scam to AOL subscribers while being outside of the bounds of the company’s Terms Of Service agreement.
The success of the AOL phishing led to the prolific use of phishing geared toward customers of reputable banks, online businesses, and payment services. Companies such as TD Ameritrade, eBay, and the U.S. Internal Revenue Service have all been targets for phishers. Usually perpetrated by e-mails, phishers will design e-mails that look remarkably like they came from the actual business, except for a few details, such as a letter addressed to “Dear Client” instead of a person’s name, or the sender’s e-mail address does not come from the business’ domain.
Phishers also use Web site forgeries to commit crimes. Through this method, phishers redirect a Web site’s patrons onto a reasonable copy of a reputable site in order to record their personal information.
Many people associate 419 Scams (also known as Nigerian bank scams) with phishing. However, most of these types of e-mail scams do not involve an attempt to fool the target into thinking the sender is from a business the recipient uses. Most of these types of scams generally just involve social engineering, preying on people’s greed and empathy, usually culminating a wire transfer of money with the expectation of being rewarded by more money in the future (which, of course, never comes). Most of these are created with Web-based e-mail programs and are generally poorly worded and full of factual and grammatical errors.
By its very nature, there are few things that a person can do to their computer to prevent being a victim of phishing. As mentioned before, phishing targets a person’s vulnerabilities rather than a computer’s.
Buying subscription-based antivirus software that specifically targets phishing is one way to help prevent being scammed. Keeping antivirus software up to date can help keep a computer protected against ever-evolving threats. The antivirus software can block offending e-mails that come from a suspect source or contain phrases common to many phishing attempts. Antivirus software like Norton Security can also warn subscribers when they’ve stumbled upon a unreliable Web site.
However, even with antivirus software in place, computer users can still ignore the warning signs. They can disable certain functions of antivirus software. And, some phishers have begun sending e-mail text in an image in order to circumvent antivirus trackers.
When it comes down to it, the most important way to prevent phishing is to be informed. No reputable company will ever ask their customers for account numbers, credit card numbers, logins, or passwords. Never enter sensitive information on a Web site that isn’t on a secure connection. And if any e-mail or Web request just doesn’t feel right, disregard it. And make sure all users of a computer are familiar with phishing and how to recognize it.