Phishing

AuthorJeffrey Wilson
Pages355-358

Page 355

Background

Phishing (analogous to fishing, and hence the term) refers to a practice where a perpetrator attempts to lure a victim into visiting an authenticlooking Web site and entering personal information. The purpose of a phishing scheme is to steal personal information from the victim in the form of account numbers, social security numbers, passwords, and so forth. Although these schemes are blatantly illegal forms of identity theft, those individuals who are responsible are difficult to catch and prosecute because they are often located overseas.

Statistics have shown that phishing has continually escalated as a problem in the United States. According to one estimate, about 1.2 million people between May 2004 and May 2005 suffered losses due to phishing schemes. One prominent computer security company, Symantec, determined that one of out every 125 emails sent in 2005 was part of a phishing scheme. Although legislative efforts to combat this problem have proven ineffective, consumers can take a number of steps to protect themselves from being victimized by this form of fraud.

Phishing and Related Schemes
Typical Phishing Scams

A phishing scam begins with the distribution of an email that appears to be from a legitimate company, usually a bank or Internet shopping site. The email, which is typically addressed to a generic customer (e.g., "Dear Valued eBay Customer"), often contains authentic-looking logos from a legitimate company. Messages in these emails vary, but most indicate either that the company is undergoing a process of updating its records or that the customer's account information has been compromised through fraud. The email directs the user to click on a link that takes the user to a Web site that also looks authentic. Once on the site, the page directs the user to enter personal information, including the user's password.

Many victims of phishing schemes are unaware of what happened to them because they have been led

Page 356

to believe that the email and Web site were authentic. The person responsible for the phishing attack creates deception by producing a URL that looks like it belongs to an actual company. A victim often sees words in the hyperlink that are associated with the company, such as "eBay" or "CitiBank," and have no idea that the URL is fake. The Web site that the victim visits is likewise designed to deceive the victim because it usually looks identical to a company's actual site.

Spear Phishing

A more recent variation of phishing involves emails that are targeted towards employees of specific companies. Emails that are sent as part of this scheme appear to be from an employee's actual company and ask for the user to update personal information. However, like other phishing schemes, a link contained in the email message sends the user to a site that is completely unrelated to the company. This type of targeted phishing scheme has become known as "spear phishing."

Spear phishing has become prevalent. The Wall Street Journal reported that between January and June 2005, an estimated 35 million targeted messages were sent in the United States. This form of phishing has also proven to be effective. In one mock attack designed to study users' responses, 500 cadets from West Point received a targeted email asking for personal information. More than 80% of these cadets responded to the email and provided the requested information.

Pharming

The term...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT