Pronounced as “fishing,” phishing is the act of sending faked e-mails to a user that falsely appears to come from a legitimate (and often well-known) business enterprise. This is an attempt to lure unsuspecting email users to divulge their personal data such as account usernames, passwords and credit card numbers on a bogus website. This information is typically used by a phisher for financial or blackmailing purposes.
History of Phishing
Avoiding phishers
Reporting the fraudsters
The term “Phishing” is relatively new, being coined around 1996 by hackers who stole America On-Line dialup accounts by scamming passwords from AOL users. The word “phishing” is derived from the analogy that some cyber-frauds are actually using faked emails to “fish” passwords and other personal information from a sea of internet users.
The “f” in the word “fishing” was replaced by “ph” to form “phishing”. This was because the very first and original form of hacking was actually called “phreaking”. In phreaking, a criminal uses a device known as a “Blue Box” to hack into telephone systems. This crime was particularly notorious is the 1970s.
Although the term “Phishing” itself is relatively new, this type of fraud has been around for quite some time. In the past, hackers did the same thing over the telephone and called it social engineering. However, its new delivery vehicles are faked emails and Web pages.
So what makes a Phishing attack so luring? Here are some of the things that Phishers do to convince their recipients:
- Phishers use popular and well-trusted brand names such as Citibank, eBay, PayPal, Yahoo, etc.
- The email messages are made to look authentic by featuring corporate logos and adopting a colour scheme that is similar to the one used by the real company for legitimate messages.
- Phishers often create a link in the email message that gives you the impression that it is taking you to a legitimate website, while in fact it sends you elsewhere, to a bogus website.
- Often such fake email messages warn the users to update their personal particulars or risk losing their account.
Typically, a combination of both fear and trust makes the phishing recipient to respond to the email message. As a result, the recipient incurs financial losses and identity theft.
Source: http://www.antiphishing.org/index.html
As you can see from the graph above, Phishing attacks are gradually increasing. It can also be seen that there have been atleast 180 phishing attacks per week from April 2004 to June 2004. According to the Anti-Phishing Working Group, phishers are able to convince up to 5% of the recipients to respond to them .
In September 2003, the Federal Trade Commission reported that 9.9 million U.S. residents have been victims of identify theft during the past year. This has resulted in a total loss of $48 billion for businesses and financial institutions.
This is an example of how a phishing attack is really carried out. The following is a typical “phishy” email sent by phishers to trick their victims. This email message was recieved by one of our own team members.
In this example, the entire email message is in an image form. With the Citibank official logo and a link back to the well-known Citibank website, this email looks very authentic indeed. However, when a user clicks on the link provided, the user is sent to a different, bogus website instead.
Note that the email urges the user to take action “within the nearest time”. This is typical of phishy emails.
Below is a screenshot showing the Phishing site:
This is a cleverly made Phishing site. Note that the authentic Citibank website is opened in the background with the Phish opening itself in a pop-up window. This pop-window does not actually belong to the Citibank website, but it can easily be misunderstood by the victims as being part of the Citibank website. The URL of the phishing site is not displayed anywhere, hence giving the victims no clue that they are actually being phished.
A similar phish scheme has also been used in attacks against other banks, such as – U S Bank, ANZ and National Bank of Australia. View more screenshots of Phishing sites (flash file, 125 KB).
Reference
Theft of proprietary information & financial fraud
http://www.gocsi.com/press/20020407.html
Information on financial losses to cyber fraud
http://www.epaynews.com/statistics/fraud.html
What you need to know about phishing
http://www.microsoft.com/athome/security/spam/phishing.mspx
Serious online banking breach
http://www.computeruser.com/newstoday/00/01/31/news4.html