PhishingFrom Wikipedia, the free encyclopedia.
This phishing attempt, disguised as an official email from Charter One Bank, attempts to trick users into giving away their account information by "confirming" it at the phisher's linked website.
Enlarge
This phishing attempt, disguised as an official email from Charter One Bank, attempts to trick users into giving away their account information by "confirming" it at the phisher's linked website.
In computing, phishing (also known as carding and spoofing) is a form of social engineering, characterised by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.
With the growing number of reported phishing incidents, additional methods of protection have been needed. Attempts include legislation, user training, and technical measures.
Avoiding and spotting phishing attemptsA user who is contacted about an account needing to be "verified" could either contact the company that is the subject of the email, or could type in a trusted web address for the company's website into the address bar of their browser, to bypass the link in the suspected phishing message. Many companies, including eBay and PayPal, always address their customers by their username in e-mails, so if an e-mail addresses a user in a generic fashion ("Dear valued eBay member") it is likely to be an attempt at phishing.
It is possible to spot some phishing attempts from the make up of links in the message. One method of spoofing links used web addresses containing the @ symbol. For example, the link
http://www.google.com@members.tripod.com/ may deceive a casual observer into believing that the link will open a page on
www.google.com, whereas the link actually directs the browser to a page on members.tripod.com. This method has since been closed off in the Mozilla[3] and Internet Explorer[4] browsers. Misspelled URLs or the use of subdomains are other common tricks used by phishers, such as this example URL,
http://www.yourbank.com.example.com/.
Technical responsesSeveral anti-phishing software programs are available. The programs work by identifying phishing contents on websites and emails; anti-phishing software may be integrated with web browsers and email clients as a toolbar that displays the real domain name for the visiting website. Spam filters also help protect users from phishers, because they reduce the number of phishing-related emails that users receive. There is also a solution that leverages a blend of psychology and technology to help prevent users from falling prey to phishing.
Many organizations, including Bank of America, have introduced a feature called challenge questions. Challenge questions ask the user for information, which would only be known to the user and the bank. Many sites have also added verification tools that allow users to see a secret image (a simple form of two-way authentication) that the user selected in advance; if the image does not appear, then the site is not legitimate.
The Anti-Phishing Working Group, an industry and law enforcement association, has noted that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers.[14] They propose that pharming and crimeware will become more common tools for stealing information.
