Phishing and spoofing

Phishing describes a social engineering process designed to trick an organisation's customers into imparting confidential information such as passwords, personal data or banking and financial details. Most commonly these are criminal attacks but the same techniques could be used by others to get sensitive information.

The trick works by persuading a victim to intentionally perform a series of actions which unwittingly provides access to the information sought by the phisher. In all cases the phisher must impersonate a trusted source, such as a bank or IT helpdesk, whom the victim would expect to ask for the information. The impersonation takes the form of an email, website, advertising or instant message, which looks very similar or identical to an organisation's normal communication and may try to scare the victim into immediate action, by reporting a spoof fraud for example.

Phishing attacks are increasingly sophisticated but by following some basic principles the likelihood of mitigating an attack are high.

• Do not click on links in emails. By typing in the URL you can verify that the address is correct.
• Use URLs or telephone numbers that you know to be correct - if you are asked to urgently contact your bank's website, use your normal internet banking address, not one supplied in an email (note: most banks have a policy of never sending emails asking for your bank details or asking you to log in to an account). If you do not normally use internet banking, telephone your branch.

To learn more about phishing and spoofing please see "The Phishing Guide (PDF - 1MB)" and "The Pharming Guide (PDF - 2.8MB)".