The Wordspy defines phishing as, "Creating a replica of an existing Web page to fool a user into submitting personal, financial, or password data". A phishing expedition is a two-pronged attack. First, the phisher creates a spoof email message: posing as a legitimate e-merchant operator, the phisher tries to lure a victim into visiting a web page. Internet scams like phishing are so prevalent that these scams are taught as part of the online criminal justice degree curriculum and also part of the Cyber Crime unit of the FBI. Here's an example of a spoof email message from "Paypal".
Sample Spoof Paypal Email Message
Examining the Lure
The phisher wants to lure you into visiting and completing the form at the URL when you Click Here. The phisher hopes to gather as much of your personal, banking, credit, and of course PayPal information as possible.
The phisher is trying to steal your identity.
Let's examine the web form the victim might visit.
The first part of the form appears legitimate enough. This is intentional, part of the overall social engineering attack. The phisher wants you to feel comfortable that this is really a PayPal form. Visit PayPal, and you'll see it is very similar to the personal account registration form (choose Sign Up in the upper right hand corner).
Read the hostname in the URL carefully: paypal-supports.com is not a PayPal domain name. A WHOIS lookup on this hostname confirms this.
Warning, Will Robinson!
The phisher next asks for your credit card, checking, and bank routing information. Some information requested should immediately set off alarms. The CVV is an anti-fraud security feature to help verify that you are in possession of your credit card. Use common sense here: if you enter the number in a web form, the phisher doesn't need to actually possess your card!
You should question any site that asks for your Social Security Number. A quick look at the legitimate PayPal registration form confirms that PayPal does not request this information: if they didn't want it when you created your account, why would they want it now?
The final clue in this part of the phisher's page is the request for your Credit/Debit card PIN. Again, use common sense: the Personal Identification Number is your "shared secret" with your bank. You punch it into an Automatic Teller Machine or brick-and-mortar store to withdraw money. You don't type it into a web form!
But it Looks So Real!
The last part of this web form completes the seduction and seals the deal for the phisher. If the form asks you for security information, and actually makes you take a security test, how can it be anything but legitimate?
The User Agreement and Policy (again copied from the legitimate form) are window dressing. Complete this form, and the phisher's off on a shopping spree in a flash.
Think before you click
Don't fall prey to such attacks. If you receive a message of this kind, report it. I did (report it):
If you want to read more about spoof email and phishing, read my column, Recognizing and Responding to Spoof email, at Loop.interop.com. The url is
Hopefully, after reading this column, you be thinking, "It's a secure (SSL) page. He didn't create a hyperlink, but typed a URL. I can verify LOOP.interop.com at WHOIS, then find this column when I get there...".
Don't let your personal information fall into wrong hands, get identity theft protection service.