The definition of phishing is a type of Internet fraud scam where the scammer sends email messages that appear to be from financial institutions or credit card companies that try to trick recipients into giving private information (i.e., username, password, account number, etc.). The scammer uses the information to steal the recipient's identity and/or money from their account.
Ways to Avoid Phishing Scams
- Never click on a link within an email requesting that you enter your username, password, credit card number, etc.
- If you have any doubts about whether an email is real, contact the company directly to check on the authenticity of the email by using the phone number or email address on their website.
- Do not open any "fishy" emails that have misspellings, poor graphics, unusual or long URLs or emails which include a long cc list of other email addresses. Delete immediately.
- If you suspect an email is a phishing attempt, contact the company directly.
- Make sure that you have unique usernames and passwords for each account and website you regularly visit.
- Install spyware and/or a browser that alerts users to phishing websites.
- An example of phishing is a spam email that looks like it comes from your bank and says you must provide your Social Security number or your account will be closed.
- An example of phishing is a spam email to employees asking them to update their username and passwords
- An example of phishing is Facebook members receiving an email purportedly from Facebook, asking them to enter login details (on a replica of the Facebook homepage). This provides the phishers with the information needed to send emails to the person's friends to steal their identity or to infect their computer with viruses or spyware.
Also known as brand spoofing and carding. A popular Internet e-mail scam that involves unsolicited e-mail (i.e., spam) contact in which the scam artist attempts to gain valuable information from the 0 90 180 270 360 0 90 180 270 360 target by gaining that person's confidence through various social engineering techniques and technical subterfuge. The term phishing was coined in the 1996 timeframe by crackers (malicious computer hackers) to describe the process of fishing for suckers by using some sort of lure or bait. (Hackers commonly replace f with ph, phor reasons that are entirely unphathomable to the rest of us.) Phishing commonly involves phony e-mails from banks, credit card companies, e-tailers, insurance companies, mortgage brokers, or other financial institutions warning that your account has been subjected to fraud or perhaps that your credit card is due to expire, and that you must confirm certain information such as an account number and password, or perhaps your social security number. The mail includes a hyperlink to a phony website that quite closely matches the legitimate website. If the scam is successful, the unsuspecting target clicks on the link and divulges information necessary for the scam artist to perhaps wipe out a bank account, max out a credit card, or even steal a person's identity, incur extraordinary debts in his name, and generally ruin his credit. See also e-mail, hyperlink, Internet, pharming, pretexting, scam, social engineering, and spam.
A form of identity theft whereby a scammer uses an authentic-looking email from a large corporation to trick email receivers into disclosing online sensitive personal information, such as credit card numbers or bank account codes.
According to a 2004 report released by Gartner, Inc., an IT marketing research firm, phishing exploits cost banks and credit card companies an estimated $1.2 billion in 2003. Moreover, according to the Anti-Phishing Working Group (a nonprofit group of government agencies and corporations trying to reduce cyber fraud), more than 2,800 active phishing sites were known to exist.
In April 2005, a new “cousin” of phishing was defined and called “WiPhishing” (pronounced “why phishing”)—an act executed when an individual covertly sets up a wireless-enabled laptop computer or access point to get other wireless-enabled laptop computers to associate with it before launching a crack attack. About 20% of wireless access points use default SSIDs. Because users failed to rename them, a cracker can quite easily guess the name of a network that target computers are normally configured to, thereby gaining access to the laptop computer and putting malicious code into it. Intrusion detection appliances such as AirPatrol Enterprise have been designed to detect wireless exploits.
Firms having wired networks are at risk of being cracked if employees’ laptop computers are left on. Instead of exploiting wireless networks with WiPhishing, crackers could do even more damage by hijacking the legitimate connection to a wired computer network, exploiting the soft underbelly of that network, and launching an invasive attack.
Levinsky, D. Hacker Teenage Pleads Guilty. [Online, May 14, 2005.] Calkins Media, Inc. Website. http://www.phillyburbs.com/pb-dyn/news/112-05142005-489320.html; Leyden, J. WiPhishing Hack Risk Warning. [Online, April 20, 2005.] http://www .theregister.co.uk/2005/04/20/wiphishing; MarketingSherpa, Inc. The Ultimate Email Glossary: 180 Common Terms Defined. [Online, 2004.] MarketingSherpa, Inc. Website. Reg SETI Group Website. http://www.marketingsherpa.com/sample.cfm?contentID=2776.
Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their bank or retail establishment. E-mails can be sent to people on selected lists or any list, expecting some percentage of recipients will actually have an account with the organization. E-Mail Is the "Bait" The e-mail states that due to internal accounting errors or some other pretext, certain information must be updated to continue your service. A link in the message directs the user to a Web page that asks for financial information. The page looks genuine, because it is easy to fake a valid Web site. Any HTML page on the Web can be copied and modified to suit the phishing scheme. Rather than go to a Web page, another option is to ask the user to call an 800 number and speak with a live person, who makes the scam seem even more genuine. Anyone Can Phish A "phishing kit" is a set of software tools from phishing developers that help the novice phisher copy a target Web site and make mass mailings. It may even include lists of e-mail addresses (how thoughtful of people to create these kits!). In the meantime, if you suspect a phishing scheme, you can report it to the Anti-Phishing Working Group at www.antiphishing.org. See pharming, vishing, smishing and twishing. "Spear" Phishing and Longlining Spear phishing is more targeted and personal. The message supposedly comes from someone in the organization everyone knows, such as the head of human resources. It could also come from someone not known by name, but with an authoritative title such as LAN administrator. If even one employee falls for the scheme and divulges sensitive information, it can be used to gain access to more of the company's resources. The "longline" variant of spear phishing sends thousands of messages to the same person, expecting that the individual will eventually click a link. The longlining term comes from using a large number of hooks and bait on a long fishing line, and mobile phones are major targets for this approach.