A phishing scam begins with the distribution of an email that appears to be from a legitimate company, usually a bank or Internet shopping site. The email, which is typically addressed to a generic customer (e.g., “Dear Valued eBay Customer”), often contains authentic-looking logos from a legitimate company. Messages in these emails vary, but most indicate either that the company is undergoing a process of updating its records or that the customer’s account information has been compromised through fraud. The email directs the user to click on a link that takes the user to a Web site that also looks authentic. Once on the site, the page directs the user to enter personal information, including the user’s password.
Many victims of phishing schemes are unaware of what happened to them because they have been led to believe that the email and Web site were authentic. The person responsible for the phishing attack creates deception by producing a URL that looks like it belongs to an actual company. A victim often sees words in the hyperlink that are associated with the company, such as “eBay” or “CitiBank,” and have no idea that the URL is fake. The Web site that the victim visits is likewise designed to deceive the victim because it usually looks identical to a company’s actual site.