The term phishing comes from the fact that Internet scammers are using increasingly sophisticated lures as they "fish" for users' financial information and password data.

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT Administrators are commonly used to lure the unsuspecting public.

Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. (This is why phishing is also called brand spoofing). Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing, probably influenced by phreaking, and alludes to baits used to "catch" financial information and passwords.

Free Money in Three Easy Steps

The first step is to reach as many possible potential victims in the shortest amount of time with the least amount of effort. The below is a typical e-mail call to action as rendered by Microsoft’s Outlook Express.

In later sections, the structure of various tactics of phishers will be explored. Generally speaking, most phishing e-mail will appear similar in both appearance and structure. Virtually all will have one common feature: a clickable link to a fake site that has been built to look similar or identical to the legitimate site it's masquerading as.

The Catch:
A fraction of the potential victim pool, sometimes as much as two to three percent, fulfill the following criteria:
• They are customers of the phisher’s chosen brand (Citibank, PayPal, etc.).
• They become sufficiently convinced the message (and supplied link) is a valid communication from their financial institution.
• Their immediate action is required to prevent a catastrophe (or, rarely, collect a reward).Once these requirements are met, the attacker must also provide these qualified victims with a credible facsimile of the targeted brand’s login page, such as the (fake) site below:

Often, these forms lead to a second page, which collects even more account-relevant information, specifically, account numbers and PINs.

However, even if a user provided an accurate password, that could change before the phisher has a chance to log in to the newly acquired victim account. So once account information has been collected, the most straightforward next step would be to log in to the phished account and perform an electronic funds transfer.

Examples of phishing:
Phishers typically include upsetting or exciting (but false) statements in the emails to get people to react immediately. They will ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc. PayPal showed above is only one of the examples of phishing email. Besides that, there are First Generic Bank, Citibank, Bank of America, Bank of Scotland, HSBC, ebay, Intelligent Finance, Nationwide and so on. The phishing threat is spread all over the world through internet.

Prevention methods
In order to prevent becoming the victim of phishing, users must always alert of the emails received. There are tips on how to avoid the Internet scam:

• Be suspicious of any email with urgent requests for personal financial information unless the email is digitally signed.
• If you receive an unexpected e-mail saying your account will be shut down unless you confirm your billing information, do not reply or click any links in the e-mail body. Instead, call the company on the telephone, or log onto the website directly by typing in the Web address in your browser.
• Avoid filling out forms in email messages that ask for personal financial information. You should only communicate information such as credit card numbers or account information via a secure website or the telephone.
• Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It means your information is secure during transmission.
• If you are uncertain about the information, contact the company through an address or telephone number you know to be genuine.
• Consider installing a Web browser tool bar to help protect you from known fraudulent websites. These toolbars match where you are going with lists of known phisher Web sites and will alert you.
• Regularly log into and check your online accounts, bank, credit and debit card statements to ensure that all transactions are legitimate. Don't leave it for as long as a month before you check each account. If anything is suspicious or you don't recognize the transaction, contact your bank and all card issuers.
• If you unknowingly supplied personal or financial information, contact your bank and Credit Card Company immediately.
• Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly. And always be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
• Forward phishing emails to spam@uce.gov – and to the company, bank, or organization impersonated in the phishing email. You also may report phishing email to reportphishing@antiphishing.org. Suspicious e-mail can be forwarded to uce@ftc.gov, and complaints should be filed with the state attorney general's office or through the FTC at http://www.ftc.gov/. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.

Besides that, users can install Phishing Filter. It offers dynamic new technology to help protect internet users from Web fraud and the risks of personal data theft. Scams known as "phishing scams” typically attempt to lure users into visiting phony Web sites where the personal information or credit card information can be collected for criminal use. This form of identity theft is growing quickly on the Web.

Phishing Filter includes several patent-pending technologies designed to warn or block users from potentially harmful Web sites. There are three ways Phishing Filter helps to protect:

1. A built-in filter in your browser that scans the Web addresses and Web pages you visit for characteristics associated with known online Web fraud or phishing scams, and warns you if sites you visit are suspicious.

2. An online service to help block you from confirmed scams with up-to-the-hour information about reported phishing Web sites. (Phishing sites often appear and disappear in 24–48 hours, so up-to-the-hour information is critical to protection.)

3. A built-in way for you to report suspicious sites or scams. With Phishing Filter, you can help provide valuable information on any Web sites you believe are potentially fraudulent phishing attacks. You submit the information to Microsoft and Microsoft evaluates it. If the information is confirmed, the online service adds the information to a database to help protect the community of Internet Explorer users.

Related Links:

1. http://en.wikipedia.org/wiki/Phishing
2. http://www.wordspy.com/words/phishing.asp
3. http://www.planb-security.net/wp/503167-001_PhishingDetectionandPrevention.pdf
4. http://www.phishtank.com/what_is_phishing.php?view=website
5. http://www.flickr.com/photos/brennansg/290704431/sizes/o/
6. http://www.flickr.com/photos/23385905@N04/3333805334/
7. http://www.antiphishing.org/consumer_recs.html
8. http://www.onguardonline.gov/topics/phishing.aspx
9. http://www.microsoft.com/protect/products/yourself/phishingfilter.mspx