What is Phishing?

Phishing is a form of computer attack in which the attacker poses as a trusted entity. Usually, phishing attacks are conducted against random victims via forged email messages that appear to come from a bank, eBay, PayPal, or another other trusted company. The forged email requests the victim to visit a website and to enter personal information such as credit card numbers, usernames, and passwords. The website that the user is directed to, which appears to be the website of a legitimate corporation, sends the collected information to the attacker. Phishing is one of several types of attacks relying on social engineering to prevail on the Internet.

The first widespread phishing attacks were staged against America Online users, and even against AOL itself. The AOHell program sent password requests to AOL users via Instant Message, posing as an AOL representative. Accounts such compromised were then used to send warez files between users, and used as staging grounds to launch attacks against other naive AOL users. The creator of the program claims to have written it with the intention of disrupting AOL service due to the closure of his personal account with them.

The newest versions of the three major web browsers - Internet Explorer, Firefox, and Opera - all have anti-phishing measures built in. Additionally, many modern email clients and web-based email providers can detect phishing attempts and warn users. The majority of browser-based anti-phishing tools depend upon a blacklist of known phishing websites. Each time a user visits a website, the browser checks a blacklist to see if the website is present. As such blacklists are very large, and are updated very frequently, they cannot be easily transferred to the user's computer. Thus, the browser 'calls home' - usually to the provider of the browser - and reports the address of the website in question. This approach has drawn fierce criticism from privacy activists, who worry that such information may be collected and aggregated.