Common Phishing Exploits

Phishing attacks can take several forms, although most begin with the receipt of a seemingly legitimate email. Over time they have evolved from a simple request via email for your personal and/or financial information to today's more sophisticated attempts to install crimeware on your computer. You will find outlined below some of the more common phishing exploits that are employed today.

An Email Request

The oldest and most common method of phishing is an email requesting personal, financial or computer account information be sent by return email. These emails often appear as though they came from a legitimate source, such as your bank, credit card company, or eBay. The email requests that the user reply with confidential account information usually credit card information. This information is used to manipulate personal information, or clear out bank accounts. A variation of this exploit is to provide a web link in the phishing email that takes the victim to a seemingly official web site where they are tricked into divulging financial data such as credit card numbers, account usernames, passwords and social insurance numbers.

Installing Crimeware on Your Computer

Many of today's phishing attacks involve installing malicious programs, called crimeware or Trojans, onto your computer. These programs can be unknowingly installed on your computer via several methods such as clicking on an attachment, downloading and installing seemingly legitimate programs, clicking on pop-up messages from web sites, visiting web sites that take advantage of security vulnerabilities in your web browser.

Keyloggers or Keystroke Loggers

Keystroke loggers record the keystrokes typed by the end-user on their computer and route that information to thieves. Phishing keystroke loggers are designed to pick up specific information such as access to financial websites, e-commerce sites and web-based email sites.


This type of attack uses malicious code designed with the intent of redirecting end-user's network traffic to a different and suspicious location where his or her confidential information can be extracted and compromised.

Emerging Exploits

Newer phishing attacks are employing methods that rely less on computer vulnerabilities and questionable user behaviour. Instead they study and manipulate common human behavior to use as a tool for obtaining confidential information.


This attack involves constructing fraudulent web sites that have web url's that are similar to legitimate sites. Most often these web site url's are designed to take advantage of users who make common typos when entering the web site address.

Search Engine Poisoning

This attack involves constructing fraudulent websites in such a way so that the fraudulent site will show up near the top of most search engine results, often above the legitimate web site. Commonly used search terms and common typo's are employed in order to increase the likelihood of a user selecting the fraudulent site from the search results.

Published on  and maintained in Cascade CMS.