My father just got his first phishing email. “Phishing” is a “leet” word, intentionally spelled wrong in the fashion of “warez” (illegally copied software), “n00b,” (newbie), or “h4x” (hacks). “Leet” is short for “elite,” a kind of hacker’s written slang, invented in the late 80’s probably to allow hackers on BBS or chat areas to talk about illicit deeds while avoiding text filters. Phishing is certainly an illicit activity, and fits into that category nicely.

Phishing is when someone sends out massive emailings designed to get unknowing victims to cough up vital information, like bank account numbers and passwords. The email is often easily spotted as fake, but if a scammer sends out a million emails, they’re bound to get several bites, ergo the reference to fishing.

Today’s phishing scams are centered on bank accounts primarily (though eBay and PayPal are hit quite often as well). You get an email from a bank; sometimes you belong to it, sometimes not, it’s all part of the fishing experience. Let’s say you’re a customer of the bank, for this example. The email looks very official, and appears to come from a valid address with the bank’s domain name (e.g., users-billing21@citibank.com). It may or may not contain the bank’s logo and other official-looking graphics. The email is written in a professional-looking way, and it contains an alarming message: your account at the banks is going to be suspended. Now, nobody wants that! The concern that such a thing might happen will drive a lot of people to give respect to the email.

The reason given for account closure is usually that someone has been trying to access your account with an incorrect password, and in order to ensure security, they will suspend your account–unless, of course, you go to the bank’s web site and verify your logon information. Now, the link is the tricky part. Usually they will display a link that looks quite official–again, with the bank’s domain name. Here’s where the slight of hand comes in, and they hope you won’t be looking all too carefully.

Now, when you are presented with a link, there are two parts to it: the link text that is displayed to you, and the actual address which it links to. With a link as part of an email message, you might view it in a browser or in an email program. In the browser, the link is supposed to be more transparent; as you hold the cursor over the link, the address it links to should appear in the status bar (the strip at the bottom of the browser’s window). Here, let’s try it. Hold the cursor over this link: http://www.cnn.com . Note that the URL in your status bar at bottom left is not the same as the one displayed in the link. That’s because the displayed link can be anything you want. The same is true in your email program, like Eudora, except that the link is even more opaque because the actual link is usually not displayed in a status bar or elsewhere; you click on the link, and it just takes you there.

The reason I’m telling you about the status bar in browsers and the real link is not just to demonstrate how you can be faked out, but also because that’s a good thing to look at in browsers before following a link. You can be faked out. You should not just jump willy-nilly into any link thrown at you, especially in email, where spammers may have given it to you. Not only could it lead to a fake site, but it could also include a code that clearly identifies you as being the visitor. But that’s another scam, so let’s get back to the phishing.

So you get the email, apparently from the bank, telling you your account will be suspended, and to stop that follow this link. On the face of it, the link will appear to be one that goes to the bank’s domain, or will just be a link saying, “To confirm your bank account records please click here.” The thing is, if you follow the link, it will not take you to the bank’s web site, it will take you to the scammer’s web site, which is reconstructed to appear identical to the bank’s page, using graphics stolen from that page, and to a great degree is completely stolen from the bank’s site, so as to fool you into thinking you’re at the bank’s site.

There is a telltale, though: look in the URL window at the top of your browser window. When following a phishing link, you should see an address that looks like this: http://218.65.110.11/suntrust/internetbanking/ (though be careful–one of the security holes you hear about in Explorer allows hackers to fake even this). Note that it begins not with a domain, but with a number. That’s an IP Address, which is the same to your browser as a domain name. But to you it’s a number, and as such is nondescript and anonymous. That’s what the scammers want–they want you not to know where you really are. That number I gave you–218.65.110.11–was the IP address of a real scammer who recently phished for me. That wasn’t the address for the Sun Trust Bank, it was the address of the computer where the phisher was lurking.

So if I had gone to that page and input my user ID and password, I would have gotten an error message. And in the time it would have taken me to call the bank and ask what was wrong with their page, the scammer would already have gotten into my real account, changed the password, and done his best to empty it of all my money. What the scammer would really love is that after you get the error message, you simply give up and not look into any of this for a while. But they wouldn’t need long. They tend to scram pretty fast–most links to phishers’ fake bank pages go offline very quickly.

So don’t trust any message like that, if for no other reason that banks never send emails like that. The only time banks will send you email is if you send them an email query first, and even then, they will address you directly by name (phishers don’t do that), and they don’t respond with a detailed message, just with a note to go to their main home page (they do not even give you a link, just tell you to go to their honest domain).

So the simple solution is not to trust any email message that claims to be from a bank. Beyond that, don’t trust any official-looking email that does not address you direct by name; don’t try to communicate with banks by email; and for that matter, don’t trust any email that has to do with financial institutions at all. And never enter a financial web site through a link–type in the domain name directly.