The term phishing refers to the act of fraudulently acquiring someone’s personal and private information, such as online account names, login information, and passwords. This information may then be used to steal money, order products using the victim’s credit cards, and otherwise defraud the victim. Phishing is accomplished through online means, meaning through the use of email, social media, and other internet-related methods. To explore this concept, consider the following phishing definition.
Definition of Phishing
- The act of obtaining confidential or financial information from internet users, by use of an online resource.
1995-2000 Tech lexicon, alteration of the term “fishing”
What is Phishing
As the world marched into the 21st century, the internet opened up new opportunities for socializing and commerce alike. People began taking advantage of the ease offered by companies to do everything from shopping, to paying their bills, and even banking online, without ever leaving their homes. Social media saw the forging of acquaintances, friendships, and even dating relationships online, often from a position of anonymity. Over time, people became comfortable doing more and more of their personal business online, providing their sensitive information to banks, lending institutions, credit card companies, retailers, and others.
This opened up a whole new realm of thievery and fraud, as criminals only had to be tech-savvy to gain access to the accounts of millions of people – without ever leaving their homes. A great deal of the private information that is stolen by internet thieves is garnered by phishing – essentially throwing in their (fishing) lines and seeing who bites. Phishing is a form of identity theft, and is illegal.
The most common phishing technique is to send out emails that look like they come from an official source – such as the recipient’s bank, credit card company, or other institution, that would possess the person’s secure information. These emails often ask the recipients to “verify” their accounts by replying to the email with certain details, such as their account login ID, their password or personal identifying number (“PIN”), credit card number, or other information.
As people began suspecting such emails, scammers upped the ante, providing a link in their official-looking emails, instructing the recipients to click on the link, ostensibly to be taken directly to the actual website, where they are then asked to provide such private information. In creating phishing emails, scammers often use high-quality graphics, spoofing the institution’s logo, and making the emails look very real and authoritative.
Example of Phishing Email
Margaret checks her email to discover that her bank, United Trustworthy Bank, has sent her a message to advise her that a suspicious login attempt has been made to her account. The message instructs Margaret to click on the link that is embedded in the message to go to the bank’s website, where she can verify her account information.
Once Margaret has followed the link, she finds a form for her to re-enter her “account information,” including her account number, her login ID, and her password. Armed with this information that should have been kept secure, the tech-savvy thieves can access her account, change her address, order new bank or credit cards, buy things online using her bank card, and use the information to open new credit accounts with retailers.
Phishing scams have grown in sophistication from the original email messages asking for people to type in their protected information. Internet fraudsters have developed new skills, which include intercepting links to legitimate websites, re-directing people to spoofed websites that have been created to look very much like the real thing. Any information users enter into a spoofed website goes directly to the criminals – including the act of “logging in,” which in such cases only serves to provide the scammers with the victim’s login ID and password.
But scammers no longer rely solely on emails sent out to would-be victims. They now take a proactive approach, using virus programming to cause pop-up messages or warnings to warn the user of some serious and urgent problem. In some cases, such a pop up message warns that the user’s computer is under attack, and advises him to click on the window for help. Doing so, however, may provide a cleared path into the user’s computer.
Phishing Scam Types
Phishing scams vary in scope and method – while many emails seem to throw out a wide net, others are targeted directly at a particular person or company. In addition to this broad email tactic, a number of electronic scam types have been identified, including:
- Spear Phishing – Emails that look very authentic, often including the user’s complete name, or making reference to some actual activity or project the user is involved with. This information is obtained by the scammers through online research, and even by hacking into a legitimate database. This is the most successful phishing type, accounting for over 90% of attacks.
- Whaling – Spear phishing that targets the email of a high-ranking business executive, in an attempt to compromise the company’s network and gain important financial or client information. According to the FBI, in the two and a half years between October 2013, and May 2016, nearly 18,000 U.S. victims accounted for a loss of $2.3 billion.
- Cloud Phishing – As people rely heavily on backing up, storing, and sharing their information on cloud servers, such as Drop Box, Google Docs, and OneDrive, scammers have begun trying to trick people out of their cloud login credentials. This may be done through phishing emails, and gives these people access to whatever photos and documents are saved on the victim’s account.
Examples of Phishing Messages
Many of the old phishing messages contained poorly worded requests, spelling errors, second-language grammatical errors, and other red-flag issues. Today’s more sophisticated scammer uses official-sounding language to urge his victims to act. Examples of these read something like this:
- “Our regular verification of accounts discovered some irregularity in your information. Please click here to update and verify your account information.”
- “Our records indicate that payment on your account is past due. Please click here to make your payment today.” (Alternatively, it may state that the account was overcharged, instructing the victim to click a link, or call a certain number to receive a refund. The victim will then be asked to provide his or her bank account information for the refund.)
- “We suspect that an unauthorized transaction has appeared on your account. To ensure your account has not been compromised, please click the link below and confirm your identity.”
In these examples, phishing messages often include some type of threat, or other sense of urgency, such as a threat of account closure if the user fails to respond immediately, or placing a very short limit on receiving a “refund.”
Phishing in Social Media
Social media platforms have turned the world into a veritable social village, encouraging people to engage in friendly relationships with others from around the globe. This has opened up a whole new frontier for phishing scammers, who maintain a variety of social email accounts with made-up names, stolen photos, and non-existent personal information.
There is an epidemic of scammers preying on people who are looking to forge personal relationships. After establishing a certain level of trust, by faking circumstances that would give them common grounds with their victim, these criminals begin duping their victims out of their hard-earned money. These requests are almost always based on a false “urgent” need, such as to pay court fees, medical bills, or for a plane ticket. Once the victim has sent money for one such need, it is easy for them to believe the scammer has other important needs for cash.
The hallmark of this type of fraud tends to be the targeting of older Americans who have at least some ability to send sizeable amounts of money. The scammer will make up excuses about why he cannot meet his victim face-to-face. These excuses range from a sudden trip for work, to illness, hospitalization, and even jail. Their requests for money are as varied, and often don’t make sense to someone on the outside looking in.
Protecting Yourself Against Phishing
The first line of defense against phishing is to never reply to, or click links within, suspect emails. If an email or message appears to be from a legitimate institution, such as your bank or credit card company, and warns that there may be a problem with your account, DO NOT reply. Rather, call the institution using the phone number on your statement or card, to ask about the problem. None of these institutions will ask for your login information or password, so such a request should raise a red flag in anyone’s mind.
Other tips for protecting yourself against phishing include:
- NEVER send your personal information, such as account numbers, your social security number, driver’s license number, or other identifying information in an email.
- NEVER enter personal information into a website if you are not absolutely certain it is a valid website.
- NEVER click on a link provided in an email, or call a phone number in an email if personal information may be involved. Look up the phone number yourself, or go to the company’s website yourself, to avoid being hijacked by the scammer.
- Update your computer’s anti-virus and anti-spyware programs regularly, and make sure your firewall is always up.
- Check the privacy settings on your social network accounts to limit who has access to your private information.
How to Report Phishing
As the crime of identity theft through phishing has become a global threat, a number of governmental agencies and private organizations have taken up the cause of tracking down these criminals for prosecution, and protecting consumers. Most social networking sites provide information on protecting yourself against phishing, as well as advice on reporting it. For example, Facebook encourages its users to report suspected phishing on their site to email@example.com.
The Anti-Phishing Working Group (“APWG”) was formed to bring together a global response to various types of cybercrime. The APWG provides a way to report phishing, and instructions on what information should be forwarded with your report. The group’s public awareness campaign has adopted the slogan “STOP. THINK. CONNECT.” to encourage people to be more aware of their online presence.
In the U.S., cybercrime, including phishing, can be reported to the Federal Trade Commission (“FTC”) by forward the suspicious email to firstname.lastname@example.org. The FBI’s Internet Crime Complaint Center (“ic3”) also takes reports of cybercrime through its website form. Whenever you are reporting phishing or suspected internet fraud, it is important to record and save as much information as possible. Saving the actual emails is vital, as these contain more information than the date, time, and purported sender. To a knowledgeable person, additional information, such as where the message actually came from, may be gleaned.
Criminal Phishing Example in Operation Phish Phry
In 2009, the director of the FBI announced a major win in taking down an international phishing ring. The agency rounded up more than 50 suspects from the U.S., and nearly as many from Egypt, charging them with targeting U.S. banks and account holders, attempting to steal their account information through phishing scams and other types of computer fraud. These scammers ultimately transferred about $1.5 million to phony accounts under their control.
The two-year investigation in Operation Phish Phry was headed up by the FBI, and involved the Secret Service, the Electronics Crimes Task Force, and state and local law enforcement; as well as officials in Egypt. The driving concern that brings together so many agencies from around the globe is that, in some instances, such large scale internet fraud and cybercrime may be linked to fundraising activities by terrorist groups. While these agencies attack this type of crime on a grand scale, it is up to individuals to safeguard their information, and report suspected phishing attacks.
Related Legal Terms and Issues
- Fraud – A false representation of fact, whether by words, conduct, or concealment, intended to deceive another.
- Identity Theft – The illegal use of another person’s personal identifying information in order to obtain money, credit, or other gain.