link to content
Essentials at NC State Home
Help | ResNet | Computing@NC State | For OIT Staff | Publications | Search NC State | Feedback
to content; left navigation begins
your unity account
antivirus and security
email and messaging
connections and labs
your computer
software at nc state
web pages
education and training
other resources
ITD Sections

Introduction to phishing

What is phishing?

Phishing (also called brand spoofing or carding) is a technique for acquiring your personal information; e.g., credit card or bank account numbers and passwords, and subsequently committing fraud in your name. This might include stealing your identity or emptying your checking and savings accounts. It has been around since 1996 but is becoming more common and more sophisticated. It's a form of cyber-crime that's growing faster than the ability of the police or courts to deal with it. The word "phishing" is simply a play on the word "fishing" — scammers drop email lures into the sea of Internet users, hoping to hook your personal information.

There is newer and more dangerous variation called “spear phishing.” It’s more insidious than regular phishing because the sender knows exactly who you do business with and what kind of accounts you have. The email they send is very convincing, appearing to come from a credit union, stockbroker or friend, so you're inclined to open it without hesitation. Once you do, a “Trojan Horse” installs a crimeware program on your computer that records your keystrokes, including your account information and passwords. As soon as you realize you've opened one of these illegitimate emails, you need to assume that your sensitive information has been captured or is at risk. Until you’ve installed and run an anti-spyware program like “Spybot – Search and Destroy” or Norton, do not log in to any of your financial accounts. The crimeware will record your your password and account information and transmit it to the crooks, who then sell it to the highest bidder.

Another new variation is called vishing, which involves voice communication. Email may or may not be involved.

How does it occur?

The majority of phishing currently is conducted by email. In a typical phishing attempt, you will receive an authentic-looking email message that appears to come from a legitimate business; e.g., bank, online shopping site. It will ask you to divulge or verify personal data such as an account number, password, credit card number or Social Security number. Often the wording may try to scare you into providing information.

For example, you might receive an email that appears to be from your bank asking that you click on a link in the message. This link might take you to a bogus Web site where you would be asked to verify your online banking information. Intimidating language might be included, e.g., "Your account will be closed or suspended if you don't follow these directions." Although legitimate online banking and e-commerce are very safe, you should always be careful about giving your personal financial information over the Internet.

It is also possible for you to be phished by mail, telephone or even in person. The latest and most rapidly growing threat is through the use of Instant Messaging (IM), which can also be used for identity theft as well as spreading viruses and spyware.

Who perpetrates it?

Phishers are scam artists. They send out millions of emails, realizing that even if only a few recipients give them enough identifying information, they can profit from the resulting fraud. Would-be phishers can actually purchase software specifically designed to help set up and manage a phishing scam site instead of trying to build one from scratch.

Who is affected by phishing?

Popular targets are users of online banking services and auction sites such as eBay. If your email address has been made public anywhere on the Internet (e.g., posted on a forum, newsgroup or Web site), then you are more susceptible to phishing. Scammers can use spidering or Web-crawling programs to search the Internet and collect millions of email addresses.

Content last updated May 3, 2005 by dlschmid
Page last modified July 26, 2006 by cawalker

jump to content
jump to content Go to page top Page Top | OIT | PolicyDisclaimer