Phishing is essentially an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. They use spam, fake Web sites, crimeware and other techniques to trick people into divulging account sign-in information.
In most cases, phishers send out a wave of spam email, sometimes up to millions of messages. Each email contains a message that appears to come from a well-known and trusted company. Usually the message includes the company's logo and name, and it often tries to evoke an emotional response to a false crisis. Couched in urgent, business-like language, the email often makes a request of the user’s personal information. Sometimes the email directs the recipient to a spoofed Web site. The Web site, like the email, appears authentic and in some instances its URL has been masked so the Web address looks real.
The bogus Web site urges the visitor to provide confidential information — social security numbers, account numbers, passwords, etc. Since the email and corresponding Web site seem legitimate, the phisher hopes at least a fraction of recipients are fooled into submitting their data. While it is impossible to know the actual victim response rates to all phishing attacks, it is commonly believed that about 1 to 10 percent of recipients are duped with a “successful” phisher campaign having a response rate around 5 percent. To put this in perspective, spam campaigns typically have a less than 1 percent response rate.