Phishing normally involves mass mailing a large number of email accounts with an email that fraudulently attempts to instruct the receiver to verify sensitive account information by logging on to a site or including it in a return email link to the sender to authenticate that they are the authorized user of that account. The email purports to come from a trusted financial or payment facilitation institution such as PayPal, eBay, or online banking and credit card companies.
The term phishing is a variant of fishing which denotes that the sender puts a lot of bait out to try and catch a fish (victim). Phishing emails are relatively easy to spot and many have similar characteristics. Included below is an actual email where only the name of the institution has been changed to a fictitious organisation.
Sent: Friday, 28 March 2008 2:09 p.m.
Subject: Internet Payment Company Verification Code
Dear Internet Payment Company Customer,
Please REGISTER "Internet Payment Company Verification Code", this a security measure that will ensure that you are the only person with access to the account.
If your account is not REGISTER within 72h Internet Payment Company will remove the account for security reasons.
Please respond as soon as possible!
Thanks for your patience as we work together to protect your account.
The Internet Payment Company Team
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your Internet Payment Company account and choose the "Help" link in the header of any page.
Internet Payment Company Email ID IPC321
How to identify phishing bait emailsIn the example above, there are certain clues to the fact that this is not from the genuine e-commerce site it pretends to be. Here are some of the giveaways.
- The request for confidential information
The fact that the institution is actually asking for your highly sensitive account information is the biggest indicator. You should NEVER, NEVER be asked to verify your account access details from a bona fide banking, credit card or internet payment organisation.
- Phrasing and grammar
The poor English and bad grammar. e.g. "If your account is not REGISTER within 72h." Many of these scams originate in non-English speaking countries so the phrasing and sentence structure may be poorly constructed.
- False links
The link that you are asked to reply to will most probably not take you to the address shown. If you hover your mouse over the top of the link without clicking, you should momentarily see the actual link site address ( as we have tried to illustrate. ) If this is different from the shown address, then this is a dead giveaway. DO NOT visit this site! DO NOT give them any information.
If you already have done so, contact your financial institution or e-commerce site immediately to seek their assistance in stopping your account being used fraudulently.
- The need for urgency
The need to act urgently should always be treated suspiciously. Obviously one of the tactics the scammer uses is to get you to give them your information before you have time to think about your actions.
Forward them the email message in question and ask if it is genuine. You should almost certainly get an immediate response advising if it is a security threat or not.
Recognise phishing scams and fraudulent emails.