Phishing Emails

Phishing Emails

• Masquerade as bank or payment service

• Attacker sends a bogus email to entrap victim

• Email links to a web login screen

• Website captures victim's details

Phishing is the generic name for a variety of email scam that has proved effective for criminals

recently. The basic idea is to generate an official-looking email from a bank or e-payment

company, which is sent to many millions of recipients. The email invites you to click on a link to

log into your account, but the link points to the criminal's webserver. As you type your username,

password and other security details, the criminal captures these, then logs into your account and

empties it.

It's a simple ploy, but has been very effective. Most banks and payment systems don't send email

requesting details, and recommend that you go to their website by typing its address into the

browser address bar directly, rather than clicking on links from dubious sources. Look at the

HTML for the link, and you'll usually see that it points to some anonymous numeric address (as

shown in Figure 7.3, “A simple email scam, with real link address in status bar”).

The way a website is constructed provides the means for making these phishing scams so

effective; it is easy to copy the graphics and visual style, or even whole webpages, to a bogus

server and adapt them to gather login data or other personal information. Similarly, the use of

HTML in emails allows graphics to be embedded to replicate the visual style of a bank or payment

site.

Many of the latest generation of browsers (IE7, Firefox 2, Opera 9) come with built-in tools which

can detect some forms of phishing. These work by checking URLs against a central database

of known phishing sites, and can be quite effective against well-known attacks, though as with

most security software, they are only partially effective.