“Phishing” is a kind of identity theft. Most commonly this consists of sending out emails purporting to be from a legitimate source such as a financial institution. Under some false pretense, such as the claim that your account needs verifying, an email will ask that you go to a Web site by clicking on a link in the email. When you go to the Web site, you are asked to “update” or “confirm” personal information such as account numbers and passwords. The Web sites may look just like a legitimate page but they are bogus sites designed to steal from your accounts. The link in the email may read like it leads to an authentic site but actually takes you to a fake page.
Banks are a favorite target of “phishing”. The scammers use mass-mailing methods and many of the recipients do not even have an account at the targeted bank. However, all it takes is 1 or 2 per cent responses for the con to result in a nice haul. An example of a scam email that I once received is shown below:
Note the psychological tricks known as social engineering in the email. The very problem that we are concerned with—identity theft— is brazenly used as a way to induce you to allow identity theft. It plays on your fears. Moreover, the email looks like a real Citicorp email. Also, note that although the link in the email contains the name “Citibank”, it has nothing to do with Citibank. In fact, the link that appears in the text of the message is likely to have little relation to the actual link contained in the underlying HTML code. To see the real link in an email message, right-click on the text and choose “Properties” from the context menu. To see an example of a faked link, try this one that seems to be from a familiar company (but isn’t): http://www.microsoft.com.
Another trick that is used is to take you to a page that uses JavaScript to generate a pop-up form and then redirect you to the actual bank site. What then appears on your screen is a fake form on top of a legitimate page.
Here is another example of "phishing":
ISPs, banks, etc. do not ask for passwords and the like to be entered by email. Be suspicious of any email message that asks for personal information. Don’t ever follow a link in an email that asks you to update or verify sensitive information. If you want to contact a company, go to their Web site by using a link from your records or telephone them.
If you would like to test how good you are at recognizing "phishing" messages go to this quiz site where examples of actual "phishing" are mixed with legitimate mail.