How it works: Phishing
Phishing scams are getting increasingly sophisticated and harder to spot
Last Updated: Wednesday, June 25, 2008 | 1:57 PM ET
By Grant Buckler CBC News
You receive an official-looking e-mail that says your bank is concerned about attempts to access your online bank account using an incorrect password, and that it needs you to verify your information. You click on the link (conveniently provided), and what looks like a bank website appears in your browser. You enter your user name and password.
A few weeks later, transactions you know nothing about start appearing on your bank or credit card statement.
The short answer is that you fell for a phishing attack.
Exactly how it works takes a little more explaining.
First, the fraudulent note doesn't have to come from a purported bank. Other common examples of phishing attacks use references to the eBay online auction site, the Paypal electronic payment service and stock-trading sites.
Some phishers even target online game sites, aiming to get participants' "virtual money," says Dmitry Samosseiko, manager of SophosLabs Canada at Sophos, a security software firm.
In short, while purporting to come from an institution or company you do business with, phishing e-mails are fakes. Sometimes this is obvious, such as in cases where you get an e-mail about your account with a company with which you've never done business. Some phishing e-mails are easy to spot because of misspellings and bad grammar.
But phishing is getting increasingly sophisticated and harder to spot. Perpetrators today often run their operations like businesses, with salaried employees, including not just programmers, but also professional writers, says Dave Marcus, security and research manager for security software maker McAfee Inc. in Santa Clara, Calif.
Whether a phishing e-mail is well or poorly written, somewhere in the message is a link that you are expected to click - and it's when you do that you get into trouble.
No matter what the text in the link might say when you read the e-mail, the link itself does not lead to a legitimate website.
The website it does take you to may look very convincing, though. The most competent phishing sites can be quite hard to spot. Phishers capture corporate logos and copy the designs of legitimate websites, so there's little to tip you off that you're handing over your login and password information to a crook.
The link itself can be a giveaway, though.
Less sophisticated phishing e-mails may openly display a link that closely resembles a legitimate one but is subtly different. Say your bank is MajorBank, and its legitimate web site is www.majorbank.ca. A phishing e-mail might use a link with a slightly different domain name, like www.majorbank1.ca/securityverification, or even one with a hard-to-spot misspelling like www.maiorbank.ca (see the i in place of a j?).
Another approach is to display one thing in the text of the e-mail, but have the link actually direct you somewhere else. For example, the link in the e-mail might read www.majorbank.ca, but when you click on it, the underlying page code can instruct your browser to go to a completely different URL. In this case, the actual web address to which the link leads may bear no resemblance at all to a legitimate one. Most e-mail software can show you what address a link actually points to (if you're paying attention), or warn you when the target of the link doesn't match what is displayed.
Reeling you in
Assuming you don't spot the deception and do click on the fraudulent link in an e-mail message, what happens on the fake website that allows the bad guys to defraud you?
This part is fairly simple, really.
Whether a phishing e-mail is well or poorly written, somewhere in the message is a link that you are expected to click, and it's when you do that you get into trouble. (Ruby Buiza/CBC)A phishing website will typically ask you to enter your user ID and password for the legitimate website you think you are looking at (again, note that the fake phishing site may be a perfect copy of the real site that it is masquerading as). When you enter the information, the fake site captures and stores it.
The phishers can then use the information to get access to your account. Or - as often happens in today's increasingly sophisticated computer crime world - the phishers who specialize in gathering such information simply sell it to others who specialize in using it to defraud people.
Once the phishing site has captured your information, it can simply show you an error message that claims your login failed. Some sites will then shunt you to the legitimate website of the company the phishers are impersonating, where you will try again and log in successfully, suspecting nothing other than a little slip of the fingers when entering your password. With others, you'll just keep getting the error message until you give up.
The end result can be anything from a few illegitimate charges against an account to wholesale identity theft.
Netting the phishers - or not
So why don't these people get caught? Surely someone will spot the deception and report it, and then the authorities can move in and shut down the bogus sites?
They can if they move fast enough, but the problem is that the phishers know they have a limited window of opportunity, so they work fast and they keep moving.
A fake site may operate only for an hour or so. Samosseiko says scam artists usually only use the data their spoof sites capture in the first few minutes of operation, knowing that after that, there is too much risk that someone who is on to them will start planting fake data in order to try to snare them.
Another problem for law enforcement officials is that phishing sites rarely run on the criminals' own web servers. Instead, phishers hack into poorly secured servers and set up their websites there. So even if authorities find the machine on which a fake site runs, they haven't found the criminals behind the phishing scheme.
The silver lining to phishers' use of unsecured servers is that most such servers lack facilities for encrypting data, so despite the fact that these scam artists are technically sophisticated, their sites usually lack the security that real banking and financial sites have. One precaution consumers can take is to look for "https:" at the start of web addresses. This denotes a secure site, and financial sites almost always have it, while phishing sites usually don't.
Other than that, Samosseiko says, consumers should always log into banking sites and others that deal with money and sensitive information by typing the address into a browser, not by clicking on a link in an e-mail.
Using a newer browser - many of them have built-in anti-phishing protection - provides some protection. And it's a good idea to check bank and credit accounts regularly for suspicious transactions.
The author is a Kingston, Ont.-based freelance writer.
Top News Headlines
- G8 leaders agree to 7-point plan on Syria as summit wraps
- Prime Minister Stephen Harper and the other G8 leaders reach a seven-point plan aimed at stopping the conflict in Syria, wrapping up a two-day summit in Northern Ireland following talks on trade, tax evasion, poverty and terrorism. more »
- Are e-cigarettes safe to puff?
- As electronic or e-cigarettes grow in popularity, some health advocates want them to be regulated. more »
- In Bangladesh's garment trade, empowerment comes at $20 a week
- The pay is laughable by Western standards, and the shantytowns of Dhaka offer a difficult life. But the surge of mostly young women into the country's increasingly important clothing industry is having a profound change on this largely Islamic society, Margaret Evans writes. more »
- Tory MP bows to Elections Canada in fight over expenses
- Conservative MP Shelly Glover has bowed to Elections Canada in a battle over her 2011 campaign expenses, days after filing a court challenge against the agency. more »
- Canadians in Dominican wedding fight freed from jail
- TV chef Nigella Lawson's husband cautioned by police for assault
- Disabled woman's care before dying on bus still a mystery
- Huge ancient city at Angkor Wat revealed by lasers
- Montreal mayor resigns amid corruption charges
- 'Standing man' inspires new, silent protests in Turkey
- Student with bullied past, 'The Doorman,' graduates
- G8 leaders agree to 7-point plan on Syria as summit wraps
- Parents of son 'brutally beaten' playing hockey want charges