When used in the realm of computer security, “phishing” refers to electronic communications, such as emails, that are sent with the purpose of fraudulently gaining access to user information. Email is the most common form of phishing attack, but instant messages (IM), social networking postings, telephone calls, or text messaging might also be used. The attackers attempt to trick the user into revealing login information, Social Security Numbers, credit card numbers, or other personal information that can then be used maliciously.
The phishing attack usually attempts to mimic a legitimate organization the user might interact with, such as a bank, auction website or even the Internal Revenue Service (IRS). Often the communication preys on users’ fears, such as threatening to suspend bank accounts because of suspicious banking activity or unauthorized account access. It will urge users to act quickly, in hopes that the users will react before they realize the scam.
Often the phisher will send an email requesting the user click on a link and enter personal information on a web site. The link may be to a fraudulent site that looks very similar to the legitimate site. In other situations, the link causes a fraudulent popup window to display on a legitimate site. The popup window requests user information and sends it to the phisher, though it appears the information is going to the legitimate site.
In the case of a phishing email, the email may use an image of the organization’s real logo, making the email appear legitimate. The link the user is asked to click is may also be spoofed to look real; the actual link may be very different.
The phishers may use a typo or modification of a well-known organization’s website address to trick users. For example, the legitimate web address of www.example.com becomes the fraudulent www.validate-example.com. Many people will not realize this is a different website.
Social networking platforms, such as Facebook and MySpace, have given scammers new methods of tricking users. Some scams have occurred when legitimate accounts have been hacked. Acting as the legitimate social network account holder, the phisher pretends to be in trouble and pleas for funds.