What Does Phishing Mean, Anyway?
Phishing (and no it is not spelled incorrectly) is a term used for anything used to trick, mislead, or persuade an individual into providing sensitive information that can be used for fraudulent purposes.
Wikipedia says it this way:
"Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication."
The types of information that a would-be phisher might be trying to acquire includes credit card numbers, passwords, account numbers and many other types of personal information.
A person can attempt to extract valuable information from an unassuming individual in many different ways. A few are listed below:
- Text Messages
- Instant Messages
- Telephone Calls
However, emails are the method of choice used by scam artists in their attempt to swindle innocent people into providing crucial information.
Anatomy of a Phishing Email
Why is phishing so dangerous? Because the emails that are used appear to come from a legitimate company and look very official. It is very easy to be fooled into providing credit card numbers, social security numbers and account information in hopes of rectifying some nonexistent catastrophic problem with an account.
The sense of urgency and impending doom created by the email sender is done intentionally with the hope of coaxing the recipient into taking immediate action by providing all requested information or face dire consequences.
An example of a typical phishing email is shown here. You will notice a few things if you look closely at the picture.
First, it looks very official. It has the Royal Bank of Canada logo and it appears to come from a legitimate RBC associate.
Second, it sounds very dire, alerting the user that the account needs to be updated within 48 hours. If not, any loss of secure information as a result of the alleged "security breach" may not be covered. This is meant to do nothing but scare the individual into providing all requested information.
Thirdly, a link is provided to take you to the "log-in page" where you are required to provide user name and password, which will then be available to the individuals responsible for the phishing attack.
As you can see, the designers of such attacks go to great lengths to create a very official and authentic email to invoke a sense of urgency and fear into their victims. Once they convince a user of the emails legitimacy, gathering all the information the user provides is as easy as a walk in the park.
Phishing Is a Real Threat
In a press release offered by public affairs officer, Thom Mrozek, of the United States Attorney's Office Central District of California, on March 26 2011 reads the following headline:
"FIVE DOMESTIC DEFENDANTS LINKED TO INTERNATIONAL COMPUTER HACKING RING GUILTY OF FEDERAL FRAUD CHARGES-46 People Charged in Operation ‘Phish Phry’ Have Now Been Convicted"
This attack was named "Phish Phry." An Egyptian based group of attackers sent out fraudulent emails asking for customers banking information. Once acquired, the information was then sent to a US based team that transferred funds into fraudulent accounts created using the compromised information gathered from the phishing attack.
According to Thom Mrozek:
"The conspiracy and bank fraud charges in this case carry statutory maximum sentences of 30 years in federal prison. The charge of aggravated identity theft carries a minimum sentence of two years that must be added to any of sentence imposed on the defendant."
Pretty serious jail time, wouldn't you agree?
The Government does not take phishing lightly and there are stiff penalties for anyone charged and convicted of phishing.
What Does This Mean?
Now that you know why phishing is so dangerous, I hope you take this threat seriously and be vigilant in your awareness of such attacks.
When receiving any email from an apparently legitimate financial institution, be extremely observant. A financial institution will never, under any circumstances, ask you to reset your account information online. This is a serious red flag.
Does the email claim there will dire consequences if you do not log in immediately, or within a certain time, to update your account information? Another red flag. Fear is the attacker’s best weapon, if he can scare you enough, the odds of you actually providing the information requested improve drastically.
Is there a link within the email that supposedly takes you to the "login page"? Another red flag. This is just an attempt to entice you to click it and be taken to a bogus log in page that looks very authentic.
Are phishing attacks dangerous? Yes, but if you know what to look for, and remain vigilant in your awareness, you can avoid danger and retain your piece of mind.
- United States Attorney’s Office, Central District of California, http://www.justice.gov/usao/cac/pressroom/pr2011/045.html
- Mrozek, Thom. “Press Release No. 11-045″. United States Attorney’s Office, Central District of California, March 26, 2011
- Image: “Lets Go Phishing” by Author using Microsoft Power Point
- Image: Royal Bank Phishing Scam by Richard Smithunder CC BY 2.0