phishing

a.k.a. carding or brand spoofing or hoax e-mail

(pronouced: fish-ing)

An online scam in which the perpetrator sends out a large number of legitimate looking e-mails that appear to come from respected companies (such as Citibank, eBay, PayPal, Amazon.com, Microsoft, BestBuy, etc.) with the intent of "fishing" for personal and financial information from the recipient. These e-mails are falsely claiming to be the respected company who needs the user's information to update their files, when in fact, it is an attempt to scam the user into surrendering private information that will later be used for identity theft.

The phony e-mail directs the user to go to a Web site with the logo of the respected company, where they are asked to update personal information (such as passwords and credit cards, social security numbers, and bank account numbers) which the legitimate organization already has. The Web site, however, is bogus and has been established only to steal the users' information. The e-mail usually includes a threat stating the user's account will close if they do not receive this updated information in a specified time period.

The important thing to do is to never click on a link that is provided in these kinds of e-mails, but rather open up a new browser window and go to the official Web site in question. In other words, whenever you log in to your bank account or any other online account, be sure to open up a new Web browser and type in the URL to make sure you are on a secure page within your account's Web site. Even if you don't provide what they ask for, simply clicking the link could subject you to background installations of keylogging software or viruses.

Phishing is a variation on the word "fishing," with the idea that bait is thrown out in the hopes that while most will ignore it, some will be tempted into biting. Phishing can be a noun or a verb, while "a phish" or "a phisher" is the person doing the phishing.

Historical Perspective: The year 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user's account was about to be suspended unless he or she clicked on the provided link and updated the credit card information (which the genuine eBay Web site already had). Because it is relatively simple to make a Web site look like a bona fide organization's site by mimicking the HTML code and the logo, this scam tricked people into thinking they were actually being contacted by eBay and were subsequently going to eBay's site to update their account information.

A survey in 2005 from First Data Corp. found that 43 percent of US adults had received at least one of the bogus e-mails. Of those, one in 20, or about 4.5 million people, gave up the requested information. Half of those ended up being victims of theft or identity fraud. Phishing scams continue to become more widespread and sophisticated. In 2006, Symantec identified 7.92 million daily phishing attempts, an increase of over 5.5 million in the previous six months. And as of 2009, phishing remains a growing problem. Some 49,084 unique phishing Web sites were set up in June of that year alone.

In another case before the Federal Trade Commission (FTC), a 17-year-old male sent out messages purporting to be from America Online that said there had been a billing problem with recipients' AOL accounts. The perpetrator's e-mail used AOL logos and contained legitimate looking links. If recipients clicked on the "AOL Billing Center" link, however, they were taken to a spoof Web site that asked for personal information, including credit card numbers, personal identification numbers (PINs), and the like. It has been reported that more than 30 new phishing attacks occur every day. 

If you suspect you have been phished, forward the e-mail to uce@ftc.gov or call the FTC help line, 1-877-FTC-HELP.

Click on "more info" below to see a phishing example.

NetLingo Classification: Online Jargon

Updates
See more information about this term