Phishing is usually defined as an attempt to gain credentials from a person under false pretenses through electronic media. The term comes by way of an analogy with ‘fishing’, and receives the “ph” substitution through association with the previous practice of “phone phreaking”–exploiting the telephone system to gain unwarranted access to telecom services.
Perhaps the most common form of phishing is the ‘bank password reset’ scam: the user receives an email purporting to be from their bank requesting that they reset their password (usually with the threat of some kind of inability to access their account if this is not completed quickly) and providing a link to a legitimate-looking page to do so. When the user enters their ‘old’ credentials, the person running the scam receives these credentials and can either use them to perform transactions as though they were the person or sell them to a third party to do so.
While some are fairly convincing, identification of a phishing email is not as difficult as it it might otherwise seem.
First, no legitimate website, bank, nor other institution will send an email requiring that you reset your password “immediately”–if there were an actual security concern, then the website can logout all sessions, expire all passwords, and require users to use the “forgot your password?” link on their next login attempt. It’s an inconvenience, but one which maintains security.
Secondly, there are generally several clues that a website is not legitimate. Carefully checking the spelling of the URL can reveal a practise known as “typosquatting”–that is, buying a domain name that is close to that of a legitimate website but which could be conceivably accidentally entered through a typo, and setting up a website there that appears to be legitimate.
Thirdly, only the legitimate institution will be able to provide a legitimate security certificate. If the indicator on your browser does not show a successful SSL connection, and if the URL does not start with HTTPS, then chances are it’s not a legitimate website.
Additionally, it’s common for phishers to make various mistakes in the composition of the fake website–using an out of date logo, for instance, or inadvertently using regional dialects that reveal the phisher’s country of origin but would not likely be used by the official website.
The first rule of preventing phishing is to never click on, nor respond to, a link in an email you did not specificly request from a known source. No legitimate bank will send an email of this sort; there is no cause for them to do so–they already have more than enough information about you to determine if you are you or not, so you will not lose access to your money should you fail to “reset” a password “immediately.”
Secondly, before you enter any information on a webpage, make sure that you know exactly where you are entering the information and for what purpose. Check for an SSL connection: only the legitimate site will be able to offer a correctly working SSL connection; encryption using credentials from a trusted authority–usually these authorities are listed by your browser–verifies identity.
Third, the basic safety rules still apply.
Make security an everyday requirement, and your chances of being compromised by a scam decrease quickly. Phishers and their ilk try to get the ‘low hanging fruit’–they do not have the time nor the resources to pursue skeptical targets; typically, their collection pages last only a matter of hours before they’re detected and marked as fraudulent. If they don’t get a speedy response from you, then you aren’t going to be useful for them–hence why phishing emails typically take an urgent tone. So, if you take no other action to a suspicious email–wait a couple days. The fewer people who fall for the phishing traps, the fewer traps will be there in the future–it’s not profitable if you pay attention.