What is a Phishing Scam?

A phishing scam is an identity theft scam that arrives via email. The email appears to come from a legitimate source such as a trusted business or financial institution, and includes an urgent request for personal information usually invoking some critical need to update an account immediately. Clicking on a link provided in the email leads to an official-looking website. Personal information provided to this site, however, goes directly to the scam artist.

Fraud is a growing problem on the Internet as people are tricked into providing personal information including credit card numbers, passwords, Mother's maiden name, bank account numbers, ATM pass codes and social security numbers. Virus protectors and firewalls do not catch most phishing scams because they do not contain suspect code, while spam filters let them pass because they appears to come from legitimate sources.

The links included in phishing scams take the unsuspecting person to a fraudulent website designed to mimic the real thing, often down to the smallest detail including copyright notices, submenu titles and so on. It's virtually impossible for most people to tell they are the target of a phisher by looking at the site alone. Clues in the address can sometimes reveal the deception, however.

Similar looking characters might be substituted in the spelling of the link for the real character so that a "1" (numeral one) is used in place of a lower-case "L." For example, phishers have used paypa1.com rather than paypal.com. Other times an IP address — a numerical address — is used to hide the fact that the link is not taking the victim to the real site. Phishing scams have become so sophisticated, however, that phishers can also appear to be using legitimate links, right down to the real site's security certificate.

The best way to someone can protect himself from phishing scams is to avoid supplying personal information to an email request. If the request might be legitimate, the company's customer service department should be called to verify the request before providing any information; any phone numbers contained in the email, if any are included, should not be used. Even if the request is legitimate, one should manually enter the required address in the browser rather than clicking on a link, as a phisher scam could conceivably run concurrent with legitimate business.

For example, in early April 2005 a mass emailing that appeared to be from Microsoft Corporation urged recipients to download a much anticipated security update. Those that clicked on the link in the email were taken to a site that looked like a legitimate Microsoft update site. Instead of updating their software, however, they were actually downloading a Trojan horse — a remote access program that can steal personal information. Microsoft does not use email notification in this way, but many users were caught unaware.

The famous "letter from Nigeria" was another type of phishing scam. This type of scam is so prevalent, it has its own name: 419 scam. The phisher pretends to be a Nigerian official in distress requiring a US bank account to offload money. The person who allowed temporary use of their account would receive a handsome reward. Instead those who provided their banking information become victims of theft.

In the US, the Federal Trade Commission (FTC) and others have concentrated on public education to fight phishing scams, as catching phishers is difficult. Fraudulent sites operate for very short periods of time and scams are often run from other countries. In March 2005, Microsoft filed 117 phishing lawsuits in the Western District of Washington with unnamed defendants.

The Anti-Phishing Working Group (APWG) is an international organization of volunteers working to track phishing scams. Their website keeps an online database of fraudulent emails submitted to them. You can check this site for new scams, or send them phisher email you receive. The APWG is largely an information hub but they do provide links to consumer resources. The FTC also has advice for consumers, an email address for reporting phishing, on their website.