Today, when you say the word "phishing" in front of a network administrator or a security expert, chances are he or she won't be thinking about sushi (or the sport). Those who are responsible for network and computer security are all too familiar with the dangers of phishing.

Unfortunately, there's a large number of end users that aren't quite familiar as with the concepts or dangers of phishing. For those of us who work in the IT field, it's our duty to educate users and make sure they know how to protect themselves from phishing attacks.

What Is Phishing?
The term "phishing" originated around the mid-'90s when some hackers caused a stir by stealing passwords from AOL users. Users were baited into accessing a Web site that looked authentic but was, in fact, a fake. The scammers then tried to lure users into providing personal information.

This method of fishing for passwords gave birth to the term "phishing" (the "ph" came from a common practice among hackers of replacing the letter "f" with "ph"). Webster's New Millennium Dictionary of English defines "phishing" as:

The practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking e-mail with the real organization's logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack.

At one time, the FBI even called phishing the "hottest, and most troubling, new scam on the Internet."

Phishing is also sometimes referred to as "brand spoofing" or "carding."

Anti-Phishing Working Group
The Anti-Phishing Working Group is an organization that claims thousands of companies as its members, including eight of the top 10 banks and four of the top five ISPs in the United States.

The group is focused on eliminating the fraud and identity theft that results from phishing. According to its report from August 2006 (read the PDF here), phishing attacks have been on the rise between 2005 and 2006 (see Figure 1).

[Click on image for larger view.]

Figure 1. Increase in phishing over the past year.

Among other findings, the report found that the United States is host to most phishing sites (27.88 percent), followed by China (14 percent) and the Republic of Korea (9.59 percent).

Common Forms of Phishing
In the most common form of phishing attack, a user gets a fake e-mail that looks legitimate. The user is then asked to click on a link in the e-mail that goes to a phony Web site. Once at the fake Web site, the user is typically asked to update his or her personal contact information, which may include credit card information, Social Security numbers, bank account numbers and so on. The fake Web site steals the user's information for identity theft purposes.

Some of the most frequently spoofed Web sites include PayPal, eBay, Citibank, AOL, MSN, Amazon and Yahoo -- although it's important to remember that phishing isn't limited to only major Web sites.

It's easy to wonder how someone can be so naive as to provide personal information on a fake Web site. The problem is that the victim has no reason to doubt the authenticity of the Web site. Not only does the Web site look completely legitimate, the e-mail that sent them there in the first place also looks authentic.

Phishers use all kinds of tactics to convince users that the e-mail is legitimate. For example, phishers are especially active during major holidays, when users who have placed online orders are expecting confirmation e-mails from online vendors, such as Amazon.com or Buy.com. Phishers exploit this fact and send out "spoofed" e-mails as if they were sent by these legitimate Web sites. Even if a small percentage of users are scammed, the phishers have succeeded in their goal.

In March 2004, a 19-year-old teenager from Houston, Texas pleaded guilty to stealing identities with fake e-mails. According to the Federal Trade Commission, he tricked 400 Internet users into divulging personal financial information, such as Social Security and bank account numbers. He made at least $78,000 from his fraudulent financial activities.

These kinds of financial gains are the primary motives for criminals who are involved in identity theft and fraud.

Phishing Web Site Demos
To demonstrate a flaw in the Internet Explorer browser, DSLReports designed this fake Symantec Web site in 2004. Move your mouse cursor around the page and then click on the "privacy policy" link at the bottom. If you want to see the real Symantec Web page, type "http://www.symantec.com/" directly in your browser and see the difference.

A couple of years ago, another demonstration of an Internet security flaw showed how a user can click on a link and end up on PayPal's Web site. To make mattes worse, this demonstration even proved to the user that the site was using Secure Socket Layer (SSL) because the Web address started with https and the SSL lock was visible in the browser (as shown in Figure 2).

[Click on image for larger view.]

Figure 2. Phishing demonstration.

Microsoft eventually patched the flaw in the browser so clicking on the link no longer takes users to the fake Web site.

Protecting Yourself From Phishing
Luckily, the latest versions of common Web browsers, such as IE 7 and Firefox 2, have built-in phishing filters to protect against phishing. By default, phishing protection is turned on in these browsers. When you visit the Web addresses in your browser, a phishing filter scans the Web address and pages for certain characteristics that are associated with known phishing scams. If the site is a suspected or known phishing site, you'll be notified.

Needless to say, this technique doesn't offer protection from the most recent phishing sites because phishing sites typically disappear within a day or two. For better protection, you can use an online service that contains a database that is updated every hour.

IE 7 includes an icon at the bottom of the browser that, depending on your configuration, lets you check only the individual Web sites that you visit, or you can enable automatic Web site checking for all sites (see Figure 3).

[Click on image for larger view.]

Figure 3. Internet Explorer 7 phishing settings.

So what can you do to protect yourself from phishing expeditions? Enabling phishing filters in your browser is a good place to start. Here are some additional things to keep in mind:

1. Type the URL manually in the address bar to make sure that you're going to the correct address. For example, if you want to go to PayPal's Web site, type "https://www.paypal.com/" in the address bar instead of clicking a link on someone else's Web site or in an e-mail.
2. Don't click on URLs in e-mails to go to Web sites to purchase products or to manage finances at financial institutions, even if the e-mail looks like it's from one of your friends. Remember: E-mails can be spoofed. Manually type the URLs, or use the Favorites/Bookmarks that you saved by visiting the Web site by manually typing the address.
3. Disable IE's active scripting, which allows you to run scripts and ActiveX code. The options are available under Tools, Internet Options, Advanced tab, Security. However, this may affect your browser's functionality.
4. Avoid "remembering" passwords in your browser. To delete remembered passwords in Firefox 2, go to Tools, Clear Private Data, or use the CTRL-SHIFT-DEL combination. In Internet Explorer, go to Tools, Internet Options, General tab and click Delete under the Browsing history section and then click "Delete passwords."
5. IE is used more widely than other browsers; therefore, it's more vulnerable to attacks from hackers. For better browser security in general, use Firefox -- but keep in mind that there's no such thing as a perfect browser.

Conclusion
While Internet browsing offers numerous benefits and an incredible wealth of knowledge, it has also given rise to various fraudulent activities, such as phishing. We're all vulnerable to phishing attacks that can cause us financial harm and potentially steal our identities.

To avoid phishing attacks, you have several options that you can use. You should use the latest versions of Internet browsers whenever possible. You should also ensure that the built-in phishing filters are enabled in your browser. Finally, follow the tips listed above to avoid being a victim of phishing bait.