Beware of the phishing net ... don't click on any suspicious links in your email Photograph: Genius

What is phishing, and how to defend against it

Phishing is "the act of defrauding an online account holder of information by posing as a legitimate company", according to the dictionary. Most people will already be familiar with it through the stream of spam emails arriving in their inboxes pretending that there has been a "security update" to their bank, credit card, online shop or similar system.



The modus operandi is almost always the same: the user is lured by an email to go and view a page. (The excuse may vary: sometimes it's a "security update which means we need your details again", sometimes it's "attempts have been made to access your account", and sometimes it's "confirming your order for..." – citing some expensive object you'd never have wanted at an online site.)

The page looks credible enough, but is a fake: typically it will simply have copied all the elements of the real page, such as an Amazon, eBay or even bank page, but is hosted on a hacked server or even PC somewhere else in the world.

In the Gmail attacks, the fake pages copied a Gmail login page.


How to protect yourself ?


An early clue to a phishing attempt is poor spelling or grammar: the hackers behind these attacks often don't have English as their first language. Be alert for any tiny clues in the original message.

If you do click on it, the giveaway in all phishing attacks is the element that the hackers cannot replicate: the "secure certificate", which is required to make links to the legitimate site secure. Thus if you get an email which says you need to re-enter your login details, a key precaution is to look at the URL in the address bar of your browser. It should start with "https://" (the "s" is for secure).

If it doesn't, then try adding it. You'll find that on sites such as Amazon, eBay, Gmail, Hotmail, Yahoo, Twitter, Facebook, and any of the major banks, the site will quickly reappear, but usually with a padlock in the address bar. That indicates that the site is safe.

Hackers can't – at present – get hold of the secure certificates needed to create https: sites, which means that you have a simple way to check whether the site is real.

Another way, if that doesn't work, and if you're still suspicious, is to purposely enter the wrong details for your username and password on the site. The fake site won't know that they're wrong – and will accept them. That means protection for you: the phishers now think they've got your details, but haven't. If it's the real site, of course, it will point out your error.

One danger of having clicked on a phishing email is that the destination page will often be loaded with malware that can silently infect Windows PCs (and Mac versions may be around the corner). It's best to be wary in the first place.



Why is it called 'phishing'?


The origins are a combination of "fishing" and "phony"; it first emerged on AOL in 1995 when hackers wanted to get control of legitimate accounts.


Specialist forms – security experts now talk about "rock phishing", "whale phishing" and "spear phishing"


Rock phishing: hackers register a large number of domains (in the hundreds or even thousands) and use them to host small programs called "scripts" that connect to their main controlling site. Simply, the combination of the huge number of domains and the scripts meant that gangs could spam millions of emails out for huge numbers of sites such as banks as well as online shopping sites; unwitting victims would click on them and be directed to a dynamically-generated domain that seemed to match the site that wanted their credentials.

The people behind rock phishing, which first started appearing in 2004, are extremely talented and coordinated; their motivation is almost entirely financial.

Whale phishing (or "whaling"): phishing campaigns that are tightly targeted at individuals of high net worth. In 2008, for example, the Internet Storm Center described how a number of chief executives had received what looked like a US federal subpoena ordering them to supply testimony in a case. If they clicked and downloaded it, their machines could be infected – the subpoena was in fact malware.

Spear phishing: campaigns that target individuals within a specific organisation, making use of information that might be expected to be specific to their work or field of expertise. The Gmail attacks from China fit the "spear phishing" description exactly: they masqueraded as coming from inside a tightly drawn group.