Phishing is a form of social engineering used to acquire sensitive personal information such as usernames, passwords, and credit card details by disguising communications to appear from a trustworthy source. It is typically done through email or instant messaging that directs users to enter information at a fake website. Phishing exploits poor web security and the difficulty of detecting fake websites. It has been used since the 1980s and was first termed "phishing" in 1996, derived from fishing to catch information like passwords. Phishing can cause financial losses for victims and undermine public trust in online commerce.
Phishing is a form of social engineering used to acquire sensitive personal information such as usernames, passwords, and credit card details by disguising communications to appear from a trustworthy source. It is typically done through email or instant messaging that directs users to enter information at a fake website. Phishing exploits poor web security and the difficulty of detecting fake websites. It has been used since the 1980s and was first termed "phishing" in 1996, derived from fishing to catch information like passwords. Phishing can cause financial losses for victims and undermine public trust in online commerce.
Phishing is a form of social engineering used to acquire sensitive personal information such as usernames, passwords, and credit card details by disguising communications to appear from a trustworthy source. It is typically done through email or instant messaging that directs users to enter information at a fake website. Phishing exploits poor web security and the difficulty of detecting fake websites. It has been used since the 1980s and was first termed "phishing" in 1996, derived from fishing to catch information like passwords. Phishing can cause financial losses for victims and undermine public trust in online commerce.
mention of the term "phishing" is on the alt.online-service.america-online Usenet In the field of computer security, newsgroup on January 2, 1996, although phishing is the criminally fraudulent the term may have appeared earlier in the process of attempting to acquire sensitive print edition of the hacker magazine. information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in Phishing techniques an electronic communication. Communications purporting to be from Phishing is another common internet popular social web sites, auction sites, scam. This is a criminally fraudulent online payment processors or IT process illegally acquires sensitive administrators are commonly used to lure information. It hacks passwords and other the unsuspecting public. Phishing is pertinent personal information that can be typically carried out by e-mail or instant used to enter private accounts for messaging, and it often directs users to malicious intents. enter details at a fake website whose look and feel are almost identical to the It is usually done by electronic mail or legitimate one. Even when using server instant messaging. Phishing directs the authentication, it may require tremendous victim to enter their pertinent details in a skill to detect that the website is fake. fake website. These websites are tricky Phishing is an example of social because they look legitimate and trusting. engineering techniques used to fool Scammers get access to important details users,and exploits the poor usability of when victims fall prey in entering their current web security personal information. technologies.Attempts to deal with the growing number of reported phishing Such important details are used to cash incidents include legislation, user out money in the ATM or bank accounts. training, public awareness, and technical security measures. You may use SSL that has strong cryptography but it is still impossible for A phishing technique was described in the SSL to detect that the website is fake. detail in 1987, and the first recorded use This is a social engineering technique of the term "phishing" was made in 1996. example. This is used to fool users and The term is a variant of fishing, probably abuse the usability of the web security influenced by phreaking,and alludes to technology. baits used to "catch" financial information and passwords. The phishing techniques were already described as early as 1987 but it was first recorded to have been used in 1996. The History term rhymes with the word fishing which means to catch. Phishing catches the A phishing technique was described in financial and personal information of a detail in 1987, in a paper and presentation person, like passwords. delivered to the International HP Users The following are the more common Phone Phishing phishing techniques often used: This is done by using a fake caller ID data to make it appear that the call came Link Manipulation from a trusted organization. The operator Links are internet addresses that direct of the phone who answered your call will one to a specific website. We usually ask you to give your account numbers give out links to our personal blogs or and passwords. digital album sites to our friends and family via emails or instant messages. There are many other phishing techniques. Some have developed In phishing, these links are usually counter-phishing techniques already but misspelled. One or two letters make a big scammers continue to invent still newer difference and it will lead you to a tricks. Always be alert and never trust to different, and often fake, website or page. give your most private details easily. It is a form of technical deception. Phishers use sub domains.
Another method of trickery in links is the
use of '@' symbol. This sign originally is intended to include username and passwords. These links are disabled by Internet explorer but Mozilla Firefox and Opera just presents warning messages that are sometimes not easily noticed.
Aside from this, there is also what we
called the Internationalized domain Damage caused by names (IDN) spoofing or the homograph attack. phishing Filter Evasion Phishing has four distinct types of This is the use of images instead of texts. impact, both domestically and internationally, that are of concern to the Through this, anti phishing filters will commercial and financial sectors and to find a hard time to detect the emails. law enforcement in both countries: • Direct Financial Loss. Depending Website forgery on the type of fraud that a There are some phishing scams that use criminal commits with the aid of JavaScript commands to alter an address stolen identifying data, bar. This directs the user to sign in at a consumers and businesses may bank or service of the phisher. This is lose anywhere from a few where he will extract information from hundred dollars to tens of you. thousands of dollars. Indeed, small e-commerce businesses may be particularly hard-hit by The Flash-based websites avoid anti identity fraud. For example, phishing techniques. This hides the text because of credit card to a multimedia object. association policies, an online merchant who accepts a credit obtain Internet access. This can card number that later proves to include situations in which a have been acquired by identity phisher in one country takes theft may be liable for the full control of a computer in another amount of the fraudulent country, then uses that computer transactions involving that card to host his phishing website or number. send his phishing e-mails to residents of still other countries. • Erosion of Public Trust in the Internet. Moreover, online criminal activity Phishing also undermines the public’s in recent years has often trust in the Internet. By making reflected clearcut divisions of consumers uncertain about the integrity labor. For example, in an online of commercial and financial websites, fraud scheme, the tasks of writing and even the Internet’s addressing code, locating hosts for phishing system, phishing can make them less sites, spamming, and other likely to use the Internet for business components of a full-scale transactions. People who cannot trust phishing operation may be where they are on the World Wide Web divided among people in various are less likely to use it for legitimate locations. This means that in commerce and communications.xx some phishing investigations, timely cooperation between law This perspective finds support in enforcement agencies in multiple a 2005 Consumer Reports countries may be necessary for survey, which showed declining tracing, identification, and confidence in the security of the apprehension of the criminals Internet. Among several findings, behind the scheme. the survey found that 9 out of 10 American adult Internet users • Incentives for Cross-Border have made changes to their Operations by Criminal Internet habits because of the Organizations. Law enforcement threat of identity theft, and of authorities in Canada and the those, 30 percent say that they United States are concerned that reduced their overall usage. each of the preceding factors also Furthermore, 25 percent say they creates incentives for members of have stopped shopping online, full-fledged criminal organizations while 29 percent of those that still in various countries to conduct shop online say they have phishing schemes on a decreased the frequency of their systematic basis. Law purchases.xxi enforcement already has indications that criminal groups in • Difficulties in Law Enforcement Europe are hiring or contracting Investigations. Unlike certain with hackers to produce phishing other types of identity theft that e-mails and websites and law enforcement agencies can develop malicious code for use in successfully investigate in a phishing attacks. single geographic area (e.g., theft of wallets, purses, or mail), phishing – like other types of crime that exploit the Internet -- Responses to Phishing: Current and can be conducted from any Promising Practices location where phishers can Private-sector entities and government continue its efforts to improve authentication agencies in Canada and the United technologies, and to deploy multifactor States have undertaken a growing authentication measures as appropriate, to variety of measures and initiatives to strengthen the confidence of Internet users in combat phishing. As explained below, the reliability and provenance of online many of these measures and initiatives messages they receive. Greater industry are multi-sectoral, multi-jurisdictional, efforts towards standardizing how enterprises and multi-agency, and extend beyond will communicate with their clients (e.g., law enforcement entities. what information they will use for Public Education authentication purposes and under what circumstances they will request it) may also Because phishing is a form of identity be important in addressing this issue. theft that differs substantially from other, physically-based identity theft Legislative Frameworks techniques, government and the private sector need to ensure that the public A strong legislative framework is also receives regularly updated information fundamental to combating identity theft, about the latest phishing techniques and and specific mechanisms and/or how to recognize them. At the May 2003 methods used to that end such as Cross-Border Crime Forum, PSEPC phishing. In Canada, there are currently (then the Department of the Solicitor no offences in the Criminal Code that General of Canada) and the U.S. directly prohibit or apply to phishing or Department of Justice jointly issued two other methods of obtaining identity public advisories on current trends and information for a criminal purpose. If a developments in identity theft: one phishing attack is using large volumes of directed at consumers and the other at “spam” (unsolicited e-mails) that could retailers. The advisories highlighted interfere with a computer system, or if some of the most significant forms of the spam employs deceptive headers so identity theft in Canada and the United as to avoid spam filters, then certain States, explaining how to recognize them computer data related offences in the and how to respond. Since then, various Criminal Code may apply. The use of Canadian and U.S. law enforcement identity information that has been agencies have widely disseminated obtained whether by phishing or by other phishing-related information to the public. means, could however amount to any of For example, the U.S. Department of a number of criminal offences, such as Justice issued a special public advisory fraudulent personation, fraud, or unlawful on phishing in 2004,xxiv the U.S. FTC use of credit card data. The Department issued a consumer alert on phishing in of Justice began several years ago to 2005,xxv and the RCMP has recently review the Criminal Code to determine its posted information about phishing and adequacy for dealing with the growing vishing on its website.xxvi problem of identity theft. The Department Authentication has begun developing proposals to address some of the limitations of the Although consumer education programs are criminal law in this area and consulting an important component of the fight against with key stakeholders to obtain their phishing and other forms of identity theft that valuable input on legislative involve “social engineering,” they will not amendments. suffice to provide adequate protection for the Another recent development in Canada public as phishers continue to refine their with implications for phishing-related attack techniques. The private sector needs to legislation was the 2004 launch by the Government of Canada of An Anti-Spam That plan is expected to be submitted to Action Plan for Canada and the the White House in early February 2007. establishment of a government-private Enforcement sector task force to oversee and coordinate its implementation. In 2005 An effective and comprehensive response to this task force was asked to produce a identity theft requires the investigation and report on the status and progress that prosecution of appropriate cases involving had been made. The report that they phishing schemes produced, Stopping Spam: Creating a Stronger, Safer Internet, set forward 22 recommendations to combat spam, Conclusion promote public awareness, and restore confidence in e-mail. They also set Phishing is a form of criminal conduct that forward best practices for Internet poses increasing threats to consumers, service providers and other network financial institutions, and commercial operators, and for e-mail marketing. enterprises in Canada, the United States, and Additionally, they recommend that other countries. Because phishing shows no legislation be enacted to prohibit certain sign of abating, and indeed is likely to forms of spam and other emerging continue in newer and more sophisticated threats to the safety and security of the forms, law enforcement, other government Internet (e.g. phishing), and that a agencies, and the private sector in both federal coordinating body should be countries will need to cooperate more closely established to deal with the spam issue than ever in their efforts to combat phishing, on an ongoing basis.xxvii This is important through improved public education, for the phishing issue because phishing prevention, authentication, and binational is usually accomplished through the and national enforcement efforts. technique of spamming, which is the sending out of unsolicited bulk e-mails. In While phishing is a particular threat on its the case of phishing, spam routinely own, it is also important to recognize that allows criminals to distribute their the challenges posed to policy makers fraudulent e-mails to many consumers at and law enforcement officials in regards minimal cost. to phishing are those reflected in the In the United States, since 1998 federal larger issue of identity theft as well. law, and laws in nearly all of the states, The Report on identity theft presented to have adopted specific criminal legislation the Binational Working Group on Cross- on identity theft that can be applied to Border Mass Marketing Fraud in October phishing.xxviii In addition, federal 2004 sets out recommendations to authorities can use a variety of federal address the threats posed by identity fraud offences, such as wire fraud,xxix and theft, including coordinating public the CAN-SPAM Act,xxx to address both education initiatives, enhancing reporting the sending of phishing e-mails and the mechanisms and enforcement, reviewing use of deceptive e-mail headers or other legislative frameworks and improving techniques characteristic of criminal document and data integrity and security. spam. Currently, at the direction of This report further endorses those President Bush, the President’s Identity recommendations in support of the fight Theft Task Force is preparing a strategic against phishing and identity theft as a plan to combat all forms of identity theft whole. In response to those recommendations more effectively, including possible governments in both countries will continue changes in legislation where appropriate. to work together in an effort to reduce phishing and identity theft.