Home Archive An Overview of Phishing

An Overview of Phishing

by Brett M. Christensen

Phishing continues to be one of the most significant security threats facing Internet users. During 2007, scammers distributed millions of phishing scam emails that targeted many different entities. Phishing attacks are sure to continue in 2008 and scammers will use such attacks to steal money and identities from many new victims around the world. Armed with a little knowledge about how phishing scams work, however, you can ensure that you do not become one of these victims.

A phishing scam is one in which victims are tricked into providing personal information such as account numbers, passwords and credit card details to what they believe to be a legitimate company or organization. In order to carry out this trick, the scammers often create a “look-a-like” webpage that is designed to resemble the target company’s official website. Typically, emails are used as “bait” in order to get the potential victim to visit the bogus website. The emails use various devious ruses to trick readers into clicking on the included links, thereby opening the bogus website. Information submitted on these bogus websites is harvested by the scammers and may then be used to steal funds from the user’s accounts and/or steal the victim’s identity.

Phishing scam emails are created to give the illusion that they have been sent by a legitimate institution. Emails may arrive in HTML format and include logos, styling, contact and copyright information virtually identical to those used by the targeted institution. To further create the illusion of legitimacy, some of the secondary links in these bogus emails may lead to the institution’s genuine website. However, one or more of the hyperlinks featured in the body of the email will point to the fraudulent website.

Links in phishing scam messages are often disguised to make it appear that they lead to the genuine institution site. The sender address of the email may also be disguised in such a way that it appears to have originated from the targeted company. Because they are sent in bulk to many recipients, scam emails use generic greetings such as “Dear account holder” or “Dear [targeted institution] customer”. If an institution needed to contact a customer about some aspect of his or her account, the contact email would address the customer by name.

Phishing scam emails use a variety of ruses to explain why it is necessary for recipients to provide the requested information. Often, the messages imply that urgent action on the part of the recipient is required. Some of the most common ruses are listed below. The scam emails may claim that:

  • The customer’s account details need to be updated due to a software or security upgrade.
  • The customer’s account may be terminated if account details are not provided within a specified time frame.
  • Suspect or fraudulent activity involving the user’s account has been detected and the user must therefore provide information urgently.
  • Routine or random security procedures require that the user verify his or her account by providing the requested information.

The entire purpose of a typical phishing scam is to get the recipient to provide personal information. If you receive any unsolicited email that asks you to click a link and provide sensitive personal information, then you should view the message with the utmost suspicion. It is highly unlikely that a legitimate institution would request sensitive information in such a way. Do not click links or open attachments in such messages. Do not reply to the senders. If you have any doubts at all about the veracity of the email, contact the institution directly to check.

This article focuses primarily on email based phishing. However, it should be noted that phishing attacks on social networking sites are also becoming more common. Scam messages may be posted as comments or via personal message systems on social networking sites such as Facebook and MySpace. The messages often contain seemingly innocent invitations to click an included link to view images or read member profiles.

However, clicking links in these bogus messages will open a fake version of the social networking site’s login page. Victims who login to the fake page will be inadvertently sending their login details to scammers who will then have complete access to their accounts.

Generally speaking, people become victims of phishing scams simply because they do not know how such scams operate. You can help by ensuring that friends and colleagues are aware of such scams and what to do about them. The power of such “word-of-mouth” education is substantial. You CAN make a difference by sharing your knowledge of phishing scams with other Internet users.

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,