According to the Wikipedia, Phishing (pronounced FISH.ing) is a form of social engineering, characterised by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to “fish” for users’ financial information and passwords.

COMPUTERWORLD’s DEFINITION: “Phishing is a technique used to gain personal information for purposes of identity theft, using fraudulent e-mail messages that appear to come from legitimate businesses. These authentic-looking messages are designed to fool recipients into divulging personal data such as account numbers and passwords, credit card numbers and Social Security numbers.”

WARNING: None of the emails below are legitimate emails from the companies they seem to represent. All of them are bogus and attempt to solicit account information from customers of the target companies. No legitimate emails from these companies would ask you to verify your account information in this manner. Note that most of the links in these emails do not go to the real companies websites, but rather to some other website where a fake input form is used to collect the customers account information.

Whenever you are inboubt about an email that appears to come from a company with whom you have an account, do one of the following:

1. Call the company to verify that the email was sent by them.
2. Forward the email to an email address from the company that you know is valid and ask for verification. Don’t use any email address that is supplied in the email you received.
3. Type the company’s URL directly into your Browser’s URL address box (don’t use any links in the email that was sent to you). Logon to your account and check if your account is working properly. Look to see if the company has an address where you can report suspecious emails or mailings and forward the email to that address.

Phishing Email Example 1:

The following example was received 12/14/05 and targets USAA customers. Note that the link provided in the email does not go to a USAA website. However, even if it did seem to point to a USAA website, the link could be descised through several methods using HTML email to actually be pointing to somewhere else so don’t ever assume that the links are really pointing to the legitimate company website even if they seem to be doing so. USAA will NEVER send their customers an email similar to the one below asking the customer to enter their account information for verification.

Dear USAA Member,

During our regular update and verification of the accounts, we could not verify your current information. Either your information has changed or it is incomplete.

As a result, your access to online banking on USAA has been restricted. To start using fully your online account, please update and verify your information by clicking the link below :

http://www.ptcnets.com

Thank you for your prompt attention to this matter.

Regards,
USAA Inc.

Phishing Email Example 2:

The following email arrived 12/15/05 to an email address that is used only by Ezine Publishers requesting a copy of an article from an autoresponder. Thus the email address was obviously harvested from the Internet without any knowledge of its real use. Things that immediately identify this email as a Phishing email include:

1. The email address to which it was sent. (Only used for articles, thus no account would be associated with this address).
2. I do not have an account with the Navy Federal Credit Union
3. The link address in the email does not really point to a Navy Federal Credit Union website. (place your mouse cursor over the link and you will see that the link really points to “http://www.farmaciagalenica.com/imagenes/new/index.asp”

Again, the email below is NOT an email from the official Navy Federal Credit Union website, but rather a Phishing attempt targeting Navy Federal Credit Union customers. The Navy Federal Credit Union would NEVER send out such an email to its customers.

Phishing Email Example 3:

I received the following Phishing email on 7/29/06. This is NOT a legitimate email from PayPal®.

If you place your cursor over the link “Click here to update our PayPal account information” you will see that the actual link does not go to a PayPal address, but simply to an IP numbered address “http://80.163.160.10/”

1. PayPal will not send you an email asking you to update your account information.
2. If PayPal sends you a link that requires you to enter sensitive information (such as your userid and password when you log on to their site) it will be to a PayPal address with “https:” not “http:” preceeding the address. Https is the secure protocol.
3. If you have a PayPal account and are in doubt as to whether or not an email actually comes from PayPay, do not click on the link provided in the email, but rather open up your web browser and type www.PayPal.com directly in to the address box. This way, if the link is bogus, you will not go to a fake PayPal page (Phishing websites will steal the actual logos and other images from the legitimate website to creat a look-a-like site, so don’t fall for that trap).