Below is the most recent article I wrote. You’ll find it posted on a few other websites too, but, as I consider this topic of general interest, I post it here and on Pamil Visions’ second blog as well. Webmasters are free to reprint this article provided that it is not edited, the author’s information is included “Mihaela Lica, founder of Pamil Visions – online public relations, SEO Web design and online brand development”, and the links are included as live links. 

Phishing started around 1996 as a form of stealing AOL dialup accounts and grew into a genuine criminal enterprise. Now phishers target online banking (PayPal, ClickBank, etc) and online commerce (ebay, Amazon, etc) sites. The word comes from “fishing”. The “ph” is just a common hacker replacement for “f”. And the definition of the word, given by Wordspy is: “Creating a replica of an existing Web page to fool a user into submitting personal, financial, or password data.”

Banks and credit card issuers lose annually billions of dollars (and other currencies) because of online phishing, and there is practically no Web user who haven’t got at least one phishing email or haven’t visited at least one bogus website. Some recognize the fake sites in a flash, others don’t even realize how close to a huge financial lost they are and finally… the most unfortunate users become phishing victims and, from that moment on, there’s not much they can do about it.

There is another key point you need to understand: it doesn’t matter how smart you are, how experienced on the Web, whether you are a SEO guru or an IT expert! Your age doesn’t matter, nor your educational level! Anyone might become a victim of phishing!

What makes phishing strategies work? How could we possible distinguish a genuine website form a bogus? In their work “Why Phishing Works” Rachna Dhamija of Harvard University and J.D. Tygar and Marti Hearst of UC Berkeley analyse and try to answer the very question “what makes a bogus website credible?”. I suggest you go on reading their report to understand how and why some of the most experienced Web users fail to recognize phishing websites and phishing strategies. The study addresses problems such as: lack of computer system knowledge, visual deception (text, graphics, images mimicking windows, windows masking underlying windows, perfect copies of a website layout, etc), lack of attention (especially when it comes to security indicators) and much more.

To understand how phishing works one should go beyond the Wordspy definition and understand what phishing really is. According to the Anti-Phishing Working Group, “Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.” Creating a replica of a genuine website is just a tool, as tools are the emails sent to your account to make you click on a link that will lead you to the spoof website.

How does this work? Well, if you use any form of online banking or if you are an active ebay merchant you’ve probably already read the warnings posted on the genuine websites. At ebay you find these warnings in the Security & Resolution Center. PayPal warns against spoof emails and websites in its Security Center as well . And so does any other genuine website that requires your financial data. But so do the phishing websites!

The clear displayed disclaimer, security center and privacy policy links are no longer enough to verify the authenticity of a website. The perfect layout and faultless graphics will fool you too! If you ignore the security warnings from your browsers you are on the wrong path form the start. There are many inexperienced users who don’t know where to look for that SSL closed-padlock icon and mistake any such icon present on a Web page as the “real thing”. Please remember: some spoof websites are identical copies of the legitimate websites! Pay attention to the small details. They might mean the difference between a genuine website and a spoof.

So, when you visit a commercial website that requires personal data, make sure is SSL protected. If you use Firefox, look for that padlock – its correct positioning would be once at the right side of the address bar and once positioned at the right side of the status bar. If you use Internet Explorer you’ll see that padlock, or an icon that looks like a key in the status bar. That’s all the warning IE gives you! Not so reliable after all. Firefox will give you two more: a yellow background and the correct HTTPS (this is an indication that the HTTP is sent over SSL/TLS) in the address bar and the domain name in the status bar.

Now, this is what I do every time I receive an email I classify as “odd”: