What is a Phishing Attack?

Identity theft has become the new white collar crime and it has grown tremendously. Criminals that steal identities use them in a number of ways. One of the most common tricks is to use a stolen identity to open a line of credit. The line of credit is then depleted by the thief and the actual person receives the bill. Identities are also stolen for malicious intent, such as stealing a military officer’s email credentials in hopes of carrying out fictitious orders to troops.

Phishing is a relatively new term to describe ploys used by criminals trying to steal identities. Phishing scams are on the rise:

"During 2004, close to 2 million U. S. citizens had their checking accounts raided by cyber-criminals. With the average reported loss per incident estimated at $1200, total losses were close to $2 billion. The incidence of phishing e-mails – e-mails that attempt to steal a consumer’s user name and password by imitating e-mail from a legitimate financial institution –has risen 4,000 percent over the past six months." (James, 2005, pg. 2)

The term “phishing” is based on the term “fishing”. With fishing you bait a hook and try to catch fish. If you do not receive a bite, you often change the type of bait until you start catching fish. With phishing, the bait is typically an email that appears legitimate. The email typically asks for a bank customer to validate their information, however, the email redirects the customer to a fictitious bank site made to look like the legitimate bank site (James, 2005). The criminals hope the customer will not notice the redirected bank site is fictitious and that they will validate their account information. There are numerous phishing emails used as bait and criminals hope the more bait they use, the greater chances someone will fall for the scam.

The key to preventing identity theft is awareness. Financial institutions typically do not ask for account information validation. Any emails that ask for account validation or social security numbers, should be validated. The link contained within the email can be checked for legitimacy. These links often go to bogus sites that can easily be determined by the website link. For example, if you bank at www.citibank.com and you receive an email that has a link and takes you to www.citibank.com.customer.cz, this should raise suspicion. Phishing scams not only use email, but the telephone is also used. A typical scam involves a telephone call with someone impersonating your credit card company and asking you to validate your social security number, date of birth, etc. Credit card companies already have this information and do not need you to validate it. A simple line of defense is to ask the caller for the credit card company’s number and call them back.

Please check out one of my other articles on information security:

• What is a Denial of Service (DOS) Attack?
• Five Easy Methods to Improve Information Security

Reference:  James, L. (2005). Phishing exposed. Rockland, MA: Syngress Publishing.