How it works: Phishing

You receive an official-looking e-mail that says your bank is concerned about attempts to access your online bank account using an incorrect password, and that it needs you to verify your information. You click on the link (conveniently provided), and what looks like a bank website appears in your browser. You enter your user name and password.

A few weeks later, transactions you know nothing about start appearing on your bank or credit card statement.

What happened?

The short answer is that you fell for a phishing attack.

The bait

Exactly how it works takes a little more explaining.

First, the fraudulent note doesn't have to come from a purported bank. Other common examples of phishing attacks use references to the eBay online auction site, the Paypal electronic payment service and stock-trading sites.

Some phishers even target online game sites, aiming to get participants' "virtual money," says Dmitry Samosseiko, manager of SophosLabs Canada at Sophos, a security software firm.

In short, while purporting to come from an institution or company you do business with, phishing e-mails are fakes. Sometimes this is obvious, such as in cases where you get an e-mail about your account with a company with which you've never done business. Some phishing e-mails are easy to spot because of misspellings and bad grammar.

But phishing is getting increasingly sophisticated and harder to spot. Perpetrators today often run their operations like businesses, with salaried employees, including not just programmers, but also professional writers, says Dave Marcus, security and research manager for security software maker McAfee Inc. in Santa Clara, Calif.

The hook

Whether a phishing e-mail is well or poorly written, somewhere in the message is a link that you are expected to click - and it's when you do that you get into trouble.

No matter what the text in the link might say when you read the e-mail, the link itself does not lead to a legitimate website.

The website it does take you to may look very convincing, though. The most competent phishing sites can be quite hard to spot. Phishers capture corporate logos and copy the designs of legitimate websites, so there's little to tip you off that you're handing over your login and password information to a crook.

The link itself can be a giveaway, though.

Less sophisticated phishing e-mails may openly display a link that closely resembles a legitimate one but is subtly different. Say your bank is MajorBank, and its legitimate web site is www.majorbank.ca. A phishing e-mail might use a link with a slightly different domain name, like www.majorbank1.ca/securityverification, or even one with a hard-to-spot misspelling like www.maiorbank.ca (see the i in place of a j?).

Another approach is to display one thing in the text of the e-mail, but have the link actually direct you somewhere else. For example, the link in the e-mail might read www.majorbank.ca, but when you click on it, the underlying page code can instruct your browser to go to a completely different URL. In this case, the actual web address to which the link leads may bear no resemblance at all to a legitimate one. Most e-mail software can show you what address a link actually points to (if you're paying attention), or warn you when the target of the link doesn't match what is displayed.

Reeling you in

Assuming you don't spot the deception and do click on the fraudulent link in an e-mail message, what happens on the fake website that allows the bad guys to defraud you?

This part is fairly simple, really.

A phishing website will typically ask you to enter your user ID and password for the legitimate website you think you are looking at (again, note that the fake phishing site may be a perfect copy of the real site that it is masquerading as). When you enter the information, the fake site captures and stores it.

The phishers can then use the information to get access to your account. Or - as often happens in today's increasingly sophisticated computer crime world - the phishers who specialize in gathering such information simply sell it to others who specialize in using it to defraud people.

Once the phishing site has captured your information, it can simply show you an error message that claims your login failed. Some sites will then shunt you to the legitimate website of the company the phishers are impersonating, where you will try again and log in successfully, suspecting nothing other than a little slip of the fingers when entering your password. With others, you'll just keep getting the error message until you give up.

The end result can be anything from a few illegitimate charges against an account to wholesale identity theft.

Netting the phishers - or not

So why don't these people get caught? Surely someone will spot the deception and report it, and then the authorities can move in and shut down the bogus sites?

They can if they move fast enough, but the problem is that the phishers know they have a limited window of opportunity, so they work fast and they keep moving.

A fake site may operate only for an hour or so. Samosseiko says scam artists usually only use the data their spoof sites capture in the first few minutes of operation, knowing that after that, there is too much risk that someone who is on to them will start planting fake data in order to try to snare them.

Another problem for law enforcement officials is that phishing sites rarely run on the criminals' own web servers. Instead, phishers hack into poorly secured servers and set up their websites there. So even if authorities find the machine on which a fake site runs, they haven't found the criminals behind the phishing scheme.

The silver lining to phishers' use of unsecured servers is that most such servers lack facilities for encrypting data, so despite the fact that these scam artists are technically sophisticated, their sites usually lack the security that real banking and financial sites have. One precaution consumers can take is to look for "https:" at the start of web addresses. This denotes a secure site, and financial sites almost always have it, while phishing sites usually don't.

Other than that, Samosseiko says, consumers should always log into banking sites and others that deal with money and sensitive information by typing the address into a browser, not by clicking on a link in an e-mail.

Using a newer browser - many of them have built-in anti-phishing protection - provides some protection. And it's a good idea to check bank and credit accounts regularly for suspicious transactions.

The author is a Kingston, Ont.-based freelance writer.