What is a Phishing Scam?

R. Kayne

A phishing scam is an identity theft scam that arrives via email. The email appears to come from a legitimate source such as a trusted business or financial institution, and includes an urgent request for personal information usually invoking some critical need to update an account immediately. Clicking on a link provided in the email leads to an official-looking website. Personal information provided to this site, however, goes directly to the scam artist.

Phishing scams generally target personal information, such as one's Social Security number.
Phishing scams generally target personal information, such as one's Social Security number.

Fraud is a growing problem on the Internet as people are tricked into providing personal information including credit card numbers, passwords, Mother's maiden name, bank account numbers, ATM pass codes and social security numbers. Virus protectors and firewalls do not catch most phishing scams because they do not contain suspect code, while spam filters let them pass because they appears to come from legitimate sources.

Computer viruses may be part of a phishing scam.
Computer viruses may be part of a phishing scam.

The links included in phishing scams take the unsuspecting person to a fraudulent website designed to mimic the real thing, often down to the smallest detail including copyright notices, submenu titles and so on. It's virtually impossible for most people to tell they are the target of a phisher by looking at the site alone. Clues in the address can sometimes reveal the deception, however.

Phishing scams may attempt to get credit card information for fraudulent purchases.
Phishing scams may attempt to get credit card information for fraudulent purchases.

Similar looking characters might be substituted in the spelling of the link for the real character so that a "1" (numeral one) is used in place of a lower-case "L." For example, phishers have used paypa1.com rather than paypal.com. Other times an IP address — a numerical address — is used to hide the fact that the link is not taking the victim to the real site. Phishing scams have become so sophisticated, however, that phishers can also appear to be using legitimate links, right down to the real site's security certificate.

The best way to someone can protect himself from phishing scams is to avoid supplying personal information to an email request. If the request might be legitimate, the company's customer service department should be called to verify the request before providing any information; any phone numbers contained in the email, if any are included, should not be used. Even if the request is legitimate, one should manually enter the required address in the browser rather than clicking on a link, as a phisher scam could conceivably run concurrent with legitimate business.

For example, in early April 2005 a mass emailing that appeared to be from Microsoft Corporation urged recipients to download a much anticipated security update. Those that clicked on the link in the email were taken to a site that looked like a legitimate Microsoft update site. Instead of updating their software, however, they were actually downloading a Trojan horse — a remote access program that can steal personal information. Microsoft does not use email notification in this way, but many users were caught unaware.

The famous "letter from Nigeria" was another type of phishing scam. This type of scam is so prevalent, it has its own name: 419 scam. The phisher pretends to be a Nigerian official in distress requiring a US bank account to offload money. The person who allowed temporary use of their account would receive a handsome reward. Instead those who provided their banking information become victims of theft.

In the US, the Federal Trade Commission (FTC) and others have concentrated on public education to fight phishing scams, as catching phishers is difficult. Fraudulent sites operate for very short periods of time and scams are often run from other countries. In March 2005, Microsoft filed 117 phishing lawsuits in the Western District of Washington with unnamed defendants.

The Anti-Phishing Working Group (APWG) is an international organization of volunteers working to track phishing scams. Their website keeps an online database of fraudulent emails submitted to them. You can check this site for new scams, or send them phisher email you receive. The APWG is largely an information hub but they do provide links to consumer resources. The FTC also has advice for consumers, an email address for reporting phishing, on their website.

The so-called Nigerian scam is believed to have originated in the African nation in the 1970s.
The so-called Nigerian scam is believed to have originated in the African nation in the 1970s.

You might also Like

Discussion Comments


it also happens in Facebook. I can't open my account recently, so it's good that my yahoo account is there so I changed my password. Then, after that, i received a message in facebook saying, "You recently changed your Facebook password. As a security precaution, this notification has been sent to all email addresses associated with your account."

If you did not change your password, your account may have been the victim of a phishing scam.


This morning I was surprised because I can't open my email anymore. I remember I am receiving mails from my spam everyday with suspicious contents. Now every day I am deleting it, but now I can't open my email using my password knowing that I didn't change it. Please, can somebody explain what happened? I have my files attached on my emails regarding my personal information but no card numbers, passwords or any financial means. Thanks!


I started getting this every day. At first I did not understand what they were. When I found out I started reporting them to phishing scams.

I suggest you do this. it helps people to identify the scams and help prevent people from being scammed.


I used to get a lot of the 419 scams, but thankfully I haven't had one in a while now.

The most recent phishing email I've received was a year ago. I came so close to clicking the links because it supposedly had come from my bank. The email had the exact logo and the wording seemed very professional. I was suspicious enough to call and speak to customer service, and they said not to click anything and to forward the email to them.

Since I guess you can't even trust the security certificate anymore, just always call the bank first!

It's better to feel a bit foolish than to be flat broke.

Post your comments
Forgot password?