Phishing

Phishing is the use of bogus emails and websites to trick you into supplying confi dential or personal information.

Typically, you receive an email that appears to come from a reputable organization, such as a bank. The email includes what appears to be a link to the organization’s website. However, if you follow the link, you are connected to a replica of the website. Any details you enter, such as account numbers, PINs or passwords, can be stolen and used by the hackers who created the bogus site.

Sometimes the link displays the genuine web site, but superimposes a bogus pop-up window. You can see the address of the real website in the background, but details you enter in the pop-up window can be stolen.

Sometimes the hacker uses a technique called “cross-site scripting”: the link takes you to the correct website, but subverts it by pulling in content from elsewhere. Once again, the part of the site where you enter information is controlled by the hacker.

Phishing had its origins in the 1990s, when scammers used the technique to collect AOL account details so that they could gain free internet access. The details were called “phish” because they were gathered by “fi shing” for users. The “ph” imitates the spelling of “phreaker”, the term for those who used to hack into the telephone network.

You should always be wary about emails that use generic salutations, e.g. “Dear Customer”, and about following links sent to you in emails. Instead, you should enter the website address in the address fi eld and then navigate to the right page, or use a bookmark or a “Favorite” link. Even if you enter the address, there is a risk of being redirected to a bogus site (see Pharming), so you should always exercise caution.

Anti-spam software can block many phishing-related emails. Some software can detect phishing content on web pages or in email, and can provide a toolbar that shows the real domain for the website you are following a link to.

Sophos.com