Even the word used to describe this form of internet theft, phishing, doesn’t sound very pleasant.

It’s a variant of fishing of course and it’s very apt, as cyber criminals set out on fishing trips every day on the internet, but it’s not cod, or mackerel they are after, but your personal details. They hang the bait over the side and remarkably millions of people fall for it.

And it’s been around for some time, with a particular technique being described in detail in 1987. The first time the term was used in this context was 1996, so it’s not just today’s problem. But as more and more people surf, then its threat can only increase.

But given the simplicity of the con – here is a website, please give us your details – it’s perhaps no surprise that so many people get caught. It is a very effective criminal tactic and one that should be guarded against at all costs. In 2004, a research report concluded that 11 million surfers in the U.S. – around 20% of those that received phishing attacks – actually clicked on the link that came with a bogus email, and that two million of those doing so (about 2%), actually entered some personal information into a false website. It is said to have cost U.S. banks alone some $1 billion in 2003. So, if you’ve ever bothered why they persist with phishing attacks, there’s your answer, at least $1 billion tapped out of the U.S. alone.

So okay, what exactly is a phishing attack? Phishing emails, or indeed, phishing instant messages, are designed to entice the recipient onto a fraudulent site which then encourages you to enter your personal details. The person that’s controlling the fraudulent website usually then sells those personal details to another bunch of crooks who then syphon off your bank account. But perhaps as an indication of how much of this goes on, the current going rate for a set of credit card details is 4p and for a complete identity, a mere 50p.

As a con, its genius lies in its ability to provoke a reaction. The phisher designs a very plausible email, or instant message, which looks at though it originates from a legitimate source. It might be a bank, PayPal, eBay, or some other company that you might deal with on a regular basis. And the phisher hopes that he strikes lucky, by connecting his chosen institution and a user of said institution. The recipient usually reads the urgent message and panics, thinking yes, they’d better react before (and this is the usual ploy) before a service is stopped. So, the con relies on a masquerade and an urgent call to action. Quite neat when you think about it; although having your bank account raided, or your credit card run up, is not so neat for you.

Now, there are a number of ways you can spot a phishing trip.

But firstly, there is one golden rule when it comes to defeating phishers. Never give out your details – credit cards, or whatever – in reply to a request from an email. Most financial institutions, and most legitimate companies dealing with finance on a daily basis, will not suddenly ask for your personal details. Why should they, they have them anyway. So when a phisher asks you to confirm your details, then bin the email straight away. Always be cynical and always question someone’s motives.

Now, given the above advice, you can look for other things if you don’t want to end up as bait on someone’s hook.

Firstly, if you receive an email requesting you to click onto a log-in page on a web-site, don’t do it. Please, don’t do it, even if you think the email might be genuine. If it’s your bank, then telephone them up and ask them what they’re playing at. If it’s a site that relies on online communications, open the site up independently of the email you’ve received and check your account that way.

Don’t ever enter financial, or personal details when visiting a site you do not trust. So if you clicked on the email link and find yourself on a site, and they ask for personal information, or financial information, resist. Close the site down and walk away.

Also, phishing emails have a sense of urgency about them; that’s the key part of the con. They do not say, “…why don’t you connect when you have a moment…” The trick for them is to hit with a believable email and get you to react quickly. Giving someone little time to think is one of the methods of exerting pressure. The more time someone has to think, the more time they will have to convince themselves it’s all a load of baloney. And banks and legimate websites do not issue such emails.

Another key indicator is the website address they are using. Have a close look at the link embedded in the email. They can write what they like, including an address which appears to be your bank’s website, but if you hover your mouse across the link, the true address will emerge, alerting you to the hoax.

Another key indicator is when they use an @ in the address. Browsers actually ignore everything to the left of the @. So, the address could look something like www.yourbank@666.66.66.666, which means that your browser will ignore the www.yourbank bit, and take you to the bogus website found at 666.66.66.666. You think fine, www.yourbank, think it looks right, not realising that the other bit tells you your true destination.

One final giveaway. See how many emails you get from supposed banks and merchants that you don’t deal with. It’s obvious then that the phishes are just trawling until they get a bite.

Some browsers provide phishing indicators, which helps you sift through some of the more difficult examples. And a good example of this capability is to be found on the Firefox browser, which actively warns if you click on a possible phishing email.

So, don’t get caught on the hook. Adopt an attitude of aloofness and cynicism.

Phishing Attacks and How to Spot Them – Recap

• phishing first described in 1987;
• U.S. losses to phishing were $1 billion in 2003;
• simple con makes it so effective;
• never open site from email link;
• phishing emails based on urgent action and knee-jerk reactions;
• hover mouse over link for true website address;
• look out for @ in website address – bad sign.