An email from Paypal customer service asks you to confirm your user information. Thinking it to be a routine mail, you submit your account details. Although you may not have even realized it, all the cash in your account might be siphoned off before you wake up tomorrow morning, and you’d have joined the club of the thousands of people phished by fake emails.
What exactly is phishing?
Phishing (pronounced "fishing") is a deceptive action used to bait one's confidential information. The "phishers" will then use the information, which is generally financial data, for their own interests like stealing one's money.
So why this weird spelling – Using “ph” in place of “f” for terms related to hacking originated with “phreaking”, a term for hacking into telephone lines. The word “phishing” is derived from fishing, alluding to the use of classy lures to ‘fish’ for a person’s financial data.
How do phishers strike?
The way phishers target people varies from the simplest of tricks to the most complicated ones.
Phishing makes use of a person’s greed or in some cases, honesty.
Have you ever received spam with "YOU'VE JUST WON!!!" in its subject line? Or email saying that you will earn thousands, even millions of dollars in a very short time?
Let's take a look at one such email.
Mostly phishers use money as the main bait. Often such emails tell potential victims that they have won a lottery or a lucky draw. Internet newbies are likely to fall into such a trap.
The other form of confidence trick uses honesty as a trap. The phishers send email to victims giving details of a transaction which they’ve never had. The victims fill in their confidential information trying to clarify the "mistake", but end up supplying information to criminals.
A fraudulent email often contains long messages, trying to assure its authenticity:
“Your information is submitted via a secure server. We keep all your contact and billing information confidential and private.”
Reputable companies will never ask for such confidential information through emails. They will use more legitimate ways such as sending official letters and asking the customers to directly come to the company's office should there be anything that needs clarification.
Reaching potential targets
Email and Spam
Well, not all email recipients will actually be customers of the company the fraudsters claim to represent. It is only a fraction of the pie comprising the actual customers which the phishers target.
By sending a large number of emails, which in 2004 was estimated to be approximately 3.1 billion, the phishers can be sure that at least a few people would react to the emails and be trapped in the trick. A survey by Gartner Inc. in April 2004 (Phishing Attack Victims Likely Targets for Identity Thefts) found that 3% of the 5000 adults surveyed gave their personal identity in phishing scams.
This email looks credible as the sender address uses @oldnationalbank.com as its domain name instead of free domain names like @yahoo.com or @hotmail.com which can be easily acquired. The domain name suggests that the sender belongs to the legitimate company and possesses authority.
In fact, this is because the phishers make use of the common flaws found in SMTP (Simple Mail Transfer Protocol). They can create an artificial "mail from:" tag easily to mimic any organization that they spoof. Phishers can also set the "RCPT:" field by an email address by which they can retrieve the emails that the victims send as replies to the phishing emails.
An easy way to spot phishing emails is to notice the language grammar. Phishing emails often contain blatant grammatical errors. This is to avoid spam blockers.