Phishing: What is it?

Fishing (with an F) is something most people are familiar with. Take a fishing pole, bait it, cast your line, and wait for a fish to take the bait. Then you reel it in, and hopefully, you will have caught yourself an awesome fish. Fishing can be a relaxing hobby, a source of food, or a way to make a living. However, phishing (with a PH) is far from the peace and tranquility of fishing. Despite that, the basic concept of phishing is surprising similar to that of fishing.

Phishing is the act of trying to get your sensitive information, like passwords and credit card numbers, by acting like a trustworthy source. A phisher may send you an email, claiming to be your bank. They may tell you there has been a problem with your account, and they need you to log in to your account. They will provide you with a link to follow and sign in. This link, however, does not go to your bank. It goes to the phisher’s site, and if you logged in, you just gave the phisher your bank login information. The phisher can now log in to your actual bank account, and empty it.

In this example, you can see the similarity to fishing. The phisher is the fisherman, and you, and your information, are the fish. The phisherman casts his “line”, the email, baited with the false link to his own website. If you follow the link, you have taken the bait, and will get caught by the phisherman.

Phishers use lots of techniques to mask their intentions and keep up the idea that they are who they claim to be. First, they need to make sure that the link they provide looks like it goes to where you think its going to go, like your actual bank’s website. They manipulate the text in the link so that where it looks like it goes, and where it actually goes, are different places. If you look closely, you can sometimes notice that links don’t match up; that they aren’t pointing to the same place. But if you aren’t paying attention, it can be easy to miss.

Once you have clicked the link, the phisher’s job is not done yet. They also have to make sure that their website looks just like the website that they are pretending to be, like your bank’s. Otherwise, you may realize that something is wrong, and not enter your details. Phishers can use JavaScript and Flash to mimic the actual site, when underneath the code, the real site is waiting to collect your information.

While most phishing attempts use email, phishing can also take place over the phone or by text message. Regardless, phishing is always someone claiming to be someone they are not. They may claim to be your bank, your credit card company, your computer guy, or even a family member. Most phishing attempts are directed at individuals, so you may be a specific target in their mind, and they may have information that will help them target you specifically. The best defense against phishing is user awareness. Be aware of what is happening when you see an email or receive a phone call. If you are ever in doubt, call or email the real deal. If you receive an email from your “bank”, and you have even the slightest feeling it might not really be them, call your bank and ask them if they sent you an email. They will know for sure whether it really was them or not. To the phishermen, we are fish. When you see a hook, don’t take the bait.