The term phishing (pronounced "fishing") comes from the idea that Internet fraudsters are fishing for information -- usually confidential information such as bank account numbers and passwords -- and by sending out millions of phishing emails, they are bound to catch a bite.
Scammers phish for your personal information in a variety of ways. The most common method is through fraudulent emails that claim to be from your bank or another institution that already has your personal details. The email usually asks you to confirm these details by replying to the email or by visiting a fake web site that looks very similar to a real web site from the relevant institution. These practices are also referred to as social engineering.
Once scammers have convinced you to share your personal information, they can use it in a number of ways. Your credit card can be used for unauthorized purchases, your bank account can be cleared out, or your information can be sold to an identity theft ring.
Deceiving Users with Phishing Emails
The initial phishing email is designed to entice the recipient to open the email and click on the link provided. The fraudsters use multiple methods to do this, including enticing subject lines, forging the address of the sender, using genuine looking images and text and disguising the links within the email.
Deceptive Subject Lines
Phishing emails tend to have subject lines that appear to be genuinely related to who the email is from, in an attempt to entice you to open the email ("Important notice for all Internet Banking Users," for example). It is also common for subject lines to carry numerals or other letters to replace characters (such as capital "I" replacing "l") in an attempt to bypass spam filters. Some phishing emails will deliberately misspell key words, which most people would not recognize when quickly glancing at the subject line.
Forged Senders Address
The forging of the senders address is an easy deception method. There is no guarantee that the address listed as the senders address is genuine. Phishing scam emails will normally have a forged sender address, so that the email appears to originate from the company it is claiming to be.
Phishing emails normally use images and text styles copied from the legitimate web site, so that the email appears genuine. Many consumers are fooled into thinking an email is what it says it is simply because it has a recognizable company logo within the email.
Links within an email are deliberately disguised in another attempt to deceive the recipient. HTML emails may display a genuine URL, but when clicked, the link takes the user to a different web site. For example, a link displayed as www.genuine-site.com may actually take the user to www.fraud-site.com.
In text-only emails, a long URL can be presented with an "@" before the actual web site. For example, a link may be displayed as http://www.genuine-site.com-Verify83kcmdj30dk>Secure32902ds;firstname.lastname@example.org. This would take the user to http://www.fraud-site.com, as this is the portion of the URL that appears after the @ symbol. The link may look valid because it begins with the genuine site URL and contains genuine-looking words within the link.
The email contains a form for the consumer to enter their personal information and click "Submit", "Send" or "Update". Forms within emails utilize scripts located on a remote server to receive the information. The scripts either forward the information to the fraudsters or place the information in a database for the fraudster to pick up later.
These methods are used by the more complex phishing emails. Some amateur phishing emails may contain poor spelling and grammar, have no images, and may not even attempt to disguise the URL.
Deceiving Users with Phishing Web Sites
The purpose of the phishing web site is to trick you into thinking you are at the company's genuine web site. You end up trusting the site enough to provide your personal information. The following describes how fraudsters are able to convince users to do so.
Genuine Looking Content
The phishing web site uses images and text copied from or created with a look similar to the legitimate web site. The phishing site will contain the normal links such as contact us, privacy, products, services, etc. The user recognizes the web site content from the genuine site and are unaware they are not on the genuine web site.
The "social engineering" problem to be aware of here is that a user is making a trust judgement based on the appearance of a web site. Since both thieves and honest web site designers have access to the same tools, it is easy to make a new web site that is very similar to the genuine article.
URL very similar to genuine URL
Some phishing web sites use a registered domain name that is similar to that of the organization they are appearing to be from. For example, one phishing scam targeted Barclays Bank and used the domain name www.barclayze.co.uk (real URL www.barclays.co.uk).
Another method is to use a sub-domain such as www.barclays.validation.co.uk. The actual domain in this example is validation.co.uk, which is not related to Barclays Bank.
Collection of information using forms
The most common method used to collect information in phishing scams is by the use of forms on the fake web site. The form is normally displayed in the same format as that used on the genuine web site. This may be an Internet banking logon or a more detailed form for verification of personal details, with many fields for sensitive information.
Incorrect URL, not disguised
Some phishing scam web sites do not even attempt to deceive users with their URL and hope that the user does not notice. Some simply use IP addresses (192.168.1.1 for example) displayed as numbers in the user's address bar.
URL Spoofing to create a Fake Address Bar
This form of URL spoofing involves the removal of the address bar combined with the use of scripts to build a fake address bar using images and text. The link in the phishing email opens a new browser window, which closes and reopens without the address bar and in some case the status bar.
Hovering Text Box over Address Bar
This form of URL spoofing involves the placement of a text object with a white background over the URL in the address bar. The text object contains the fake URL, which covers the genuine URL.
This form of deception involves the use of a script to open a genuine web page in the background; in the foreground, a bare pop-up window (without address bar, tool bars, status bar and scroll bars) displays the fake web page. The idea is to mislead the user into thinking it is directly associated with the genuine page.
Trojan Viruses / Spyware
Trojan and worm viruses are sent to the user as an email attachment, purporting to be for some type of purpose, such as greetings, important files or other type of spam email. The attachment is a program that exploits vulnerabilities in browsing software to force a download from another computer on the Internet. This file downloads other files, which eventually installs a fully functional Trojan virus.
The Trojan is designed to search for personal banking information and passwords, which many people keep on their computer. This information is then sent to a remote computer on the Internet.
Other worms have been known to hijack the user's HOST file, which causes an automatic redirection to a fake phishing web site when the user types in a specific URL (normally for a specific financial institution) into the address bar of their Internet browser.
Spyware, such as keyboard loggers, capture information entered at legitimate web sites, such as Internet banking sites. This type of spyware can be planted on a user's computer using a previous worm or Trojan infection. Any information the spyware captures is sent to a predetermined computer on the Internet.
A recent phishing scam used the link in the email to direct the user's browsers to a site to first download keyboard logging spyware before redirecting the user to the genuine Internet banking web site. This spyware captured the logon information entered and sent this information to the fraudsters via a remote computer on the Internet.
What fraudsters do with your information
There are a number of ways in which personal information collected is used by the fraudsters:
- Hijacking user accounts
- Fraudulent use of credit cards
- ATM card duplication
- Identity Theft
Hijacking user accounts
If the victim provided bank account information, the fraudsters are likely to hijack the victim's bank account. Access passwords can be changed, for example, locking the victim out of their own account. The fraudsters may empty the victim's bank account by electronically transferring funds to a temporary account they have fraudulently set up using someone else's personal information. The cash is then withdrawn before the victim is aware of what has happened.
The fraudsters may also create, write and cash fraudulent counterfeit checks on the victim's account. In this way, the victim has no idea they have been defrauded until they notice cash has left their account.
The fraudsters may also store the account information, waiting for a time when there is the desired amount of money in the account. The victim has no idea until it's too late.
Fraudulent use of credit cards
If the victim provided credit card details, it is likely their card details will be used to make unauthorized fraudulent purchases.
The credit card information may also be sold to organized fraud rings weeks or months after the information theft occurred. The victim is unaware their credit card information is in the hands of fraudsters until they begin to see unauthorized charges on their statement, or they try to use their card, only to find out the card has reached its limit.
ATM card duplication
Some phishing scams require the user to provide their ATM card number, expiry date, and ATM Personal Identification Number. This allows the fraudsters to create duplicate ATM cards linked to the victim's debit card account. The victim's account may be cleared out through ATM withdrawals.
Identity Theft is the use of someone's personal information without their knowledge to apply for credit cards, make unauthorized purchases, gain access to bank accounts and apply for credit. Often, credit is obtained using the victim's name and personal information, who is then left to explain the credit and clear their name long after the fraudsters has disappeared.
Identity Theft is reported to be the world's fastest growing crime. In the past, fraudsters would trowel through rubbish bins and letterboxes looking for documents with personal information. Now they simply ask the victims for the information in the form of phishing scams.
Personal information is traded amongst identity thieves. While the fraudsters themselves may not use the personal information, it may be sold to identity thieves who will then use it to meet their needs. False credit can provide fraudsters with an anonymous way to survive and financially support illegal operations.
Incidence of Identity Theft in the United States has grown by more than 40% in 2003 compared to the previous year. The Federal Trade Commission estimates 4.7% of the U.S. population (approximately 10 million people) were victims of identity theft in 2002, with total losses of US$53 billion. Of this US$5 billion was lost by victims. The remaining losses were covered by businesses or financial institutions. [U.S. Federal Trade Commission – Consumer Sentinel Report 2003]