Home > 
< back


Phishing emails often look "official", some recipients may respond to them and click into malicious websites resulting in financial losses, identity theft, and other fraudulent activity.

Characteristics of Phishing Emails
Characteristics of Phishing Websites
Common Methods of Phishing Attacks
Phishing Attack Common Techniques

Characteristics of Phishing Emails

A typical phishing email will have the following characteristics:

It normally appears as an important notice, urgent update or alert with a deceptive subject line to entice the recipient to believe that the email has come from a trust source and then open it. The subject line may consist of numeric characters or other letters in order to bypass spamming filters.
It sometimes contains messages that sound attractive rather than threatening e.g. promising the recipients a prize or a reward.
It normally uses forged sender's address or spoofed identity of the organisation, making the email appear as if it comes from the organisation it claimed to be.
It usually copies contents such as texts, logos, images and styles used on legitimate website to make it look genuine. It uses similar wordings or tone as that of the legitimate website. Some emails may even have links to the actual web pages of the legitimate website to gain the recipient's confidence.
It usually contains hyperlinks that will take the recipient to a fraudulent website instead of the genuine links that are displayed.
It may contain a form for the recipient to fill in personal/financial information and let recipient submit it. This normally involves the execution of scripts to send the information to databases or temporary storage areas where the fraudsters can collect it later.

Characteristics of Phishing Websites

A typical phishing website will have the following characteristics:

It uses genuine looking content such as images, texts, logos or even mirrors the legitimate website to entice visitors to enter their accounts or financial information.
It may contain actual links to web contents of the legitimate website such as contact us, privacy or disclaimer to trick the visitors.
It may use a similar domain name or sub-domain name as that of the legitimate website.
It may use forms to collect visitors' information where these forms are similar to that in the legitimate website.
It may in form of pop-up window that is opened in the foreground with the genuine web page in the background to mislead and confuse the visitor thinking that he/she is still visiting the legitimate website.
It may display the IP address or the fake address on the visitors' address bar assuming that visitors may not aware of that. Some fraudsters may perform URL spoofing by using scripts or HTML commands to construct fake address bar in place of the original address.

Common Methods of Phishing Attacks

If the recipient believes that the email comes from a legitimate organisation, there are several common methods used by the fraudsters for phishing.

Install Trojan program or worms to the recipient's computer in form of email attachment to exploit loopholes and vulnerabilities or to take screenshots of the system, in order to obtain sensitive information from the recipient.
Use spyware, such as keyboard loggers, to capture information from the recipient's computer and sends the information back to the fraudsters.

Use deceit to gain recipient's confidence so that the recipient will visit the fraudulent website that appears as legitimate and provide sensitive information by completing a form on web page.

Make Use of Cousin URL

Social engineering technique is often used in phishing emails. These spoofed emails will have similar tone of messages, logos or names of the organisation from what appeared to be the legitimate organisation. The objective is to entice the recipient to enter his personal information. These fake websites normally use Cousin URL links, which are similar to the URL of the original website.

Make Use of Bogus URL and Browser Vulnerabilities

Some bogus websites make use of URI Syntax to form a bogus URL to hide the bogus website address. The URI syntax allows the format of using "@", "%" encoding and Unicode encoding.

Microsoft has reported an IE vulnerability in handling URL is found (MS04-004 issued on Feb 2004). A malicious user might use this syntax to create a hyperlink that opens a bogus website rather than the legitimate website as it appears. This will also hide the actual visited bogus site from displaying and showing in the Address and Status Bar of web browser.

Other Common Techniques

Use legitimate website's look but redirect to another bogus website or pop-up window to confuse visitors.
Use cross-site scripting technique to install malicious codes or scripts on a legitimate website, and then the malicious scripts will be sent along with legitimate web contents to the visitor's browser where they will be executed on the visitor's computer to steal his credentials, to exploit his browser's vulnerabilities or to redirect the browser to other fraudulent websites.
Visual spoofing: Open a pop-up browser without displaying the URL address, menu bar and status bar. The phishers rebuild the menu bar, address bar and status bar which display the fake information. The status bar displays the "lock" icon to confuse visitors that a secure SSL session is loaded and enabled.

Use META tag to redirect the real site to the fraudulent site at the back.

Extended Readings