Simply defined, phishing is the act of tricking you into believing you are having a normal transaction with a trusted and well known internet merchant. Of course, what’s the bait and subterfuge required for this to work (you should already be asking)? What skulduggery and ne’er-do-well could carry out this trick on unsuspecting internet users like yourselves? Here, we’ll need to define another term to complete the picture. Fortunately, this term isn’t as technobabble as the previous one, but the term to spoof means to pretend to be someone else well-known and trusted, when in fact they are internet criminals with malicious intent. Yes. If this has not become clear to you already, alarm bells should be ringing loudly in your head right now. Together with viruses, trojans, adware and other forms of malicious software (all lumped under the term malware), spoofed emails in your inbox provide the bait to an impersonation attack.

Let’s now run through an example. Suppose you are a long time loyal and trusting customer of Bank A. One day you receive an email informing you to change your password (passwords should be changed once every three months in standard secured computing environments, of course). You often get reminders like this at work from the system administrator, so you think nothing of it and follow the advice given. The email sender even provides you a link (saves you having to find that bookmark somewhere) to help you with this, how considerate of them! Right now, picture yourself as the fat catch of the day for the internet criminal. The damage isn’t irrevocable but once you click on the link, quickly try to log in (we’ve done this nth times before right?) and FAIL, you may start suspecting that something is wrong. Unfortunately, because the internet moves literally at the speed of light, and your login and password has already been captured, stored and forwarded, there’s a very high chance that through the distributed power of the internet, a mechanism has already been automated to log in at the REAL banking website, with the login details and passwords you so kindly provided, and every last cent in your account has been pilfered!

This is a simplified example of course but it demonstrates the working theory and practice of an impersonation attack. You should be thinking about countermeasures immediately and they fall broadly into two categories. Category One is all about safe online conduct. The internet is literally a virtual Wild West frontier (not unlike the real thing). Trust no one and certainly not just any email sent purportedly from your bank. If you’re technically minded, you may notice that clicking on the link will direct you to a DIFFERENT website (www.bankof-a.com as opposed to www.bankofa.com) and the spoofed login page may not be a 100% replica to what you’re used to. Category Two belongs to the technical tools at your disposal to combat these threats. Always upgrade your browser to the latest version, because new vulnerabilities are being discovered and fixed all the time, and also because most recent browsers have new tools and technologies to detect attacks of this sort.

Finally, make sure you have an up to date anti-virus, anti-malware and internet security software. Even the free ones do a good job and you can google them easily online.