The term phishing is a general term for the creation and use by criminals of e-mails and websites – designed to look like they come from well-known, legitimate and trusted businesses, financial institutions and government agencies – in an attempt to gather personal, financial and sensitive information.
These criminals deceive Internet users into disclosing their bank and financial information or other personal data such as usernames and passwords, or into unwittingly downloading malicious computer code onto their computers that can allow the criminals subsequent access to those computers or the users’ financial accounts.
In a typical phishing scheme, criminals who want to obtain personal data from people online first create unauthorized replicas of (or “spoof”) a real website and e-mail, usually from a financial institution or another company that deals with financial information, such as an online merchant. The e-mail will be created in the style of e-mails by a legitimate company or agency, using its logos and slogans.
Phishers typically then send the “spoofed” e-mails to as many people as possible in an attempt to lure them in to the scheme. In some “spear phishing” attacks, phishers have used other illegal means to obtain personal information about a group of people, then target that specific group with e-mails that include illegally obtained information to make the e-mails appear more plausible. These e-mails redirect consumers to a spoofed website, appearing to be from that same business or entity. The criminals know that while not all recipients will have accounts or other existing relationships with these companies, some of them will and therefore are more likely to believe the e-mail and websites to be legitimate.
The concept behind many phishing attacks is similar to that of “pretext” phone calls (i.e., phone calls from persons purporting to be with legitimate institutions or companies asking the call recipients for personal information). In fact, the criminals behind these e-mails, websites, and phone calls have no real connection with those businesses. Their sole purpose is to obtain the consumers’ personal data to engage in various fraud schemes.