Hi Oliver,



The only way I know of to "spoof" a URL is to use a deceptive TLD followed by something that looks like the legitimate URL. For example, if a phisher wanted to deceive you into believing that you are logged into PayPal, they might have a URL something like this.

http://logon.com/paypal/∙∙∙ etc.

Now that will look to most people like a Paypal URL, but in fact it is a logon.com URL.

DISCLAIMER: I just made logon.com up in the moment. I have no idea if it is a real URL. I am using it only as an example.

The bottom line is that you should make a habit of being aware of the actual TLD you're logged into.

By the way. The reason so many of these fake web sites look so real, and the reason many phishing email messages look so real, is because they use the actual graphics from the real web sites. When your bank, or eBay or Paypal or whoever sends out bulk emails, they don't send out thousands of copies of all of those impressive graphics. Instead, they send out email messages with links to those impressive graphics. That way their email goes out much quicker. So when the phishers send out fake email messages, they use the very same links. Well, for the graphics anyway. The links they want you to click on are a different matter.

As Andy pointed out above, it's a simple html tag that allows you to embed a clickable link into a message. And the default is that it will display the URL of the link it navigates to. However, you can make it display any text string you want, including the text string of an unrelated website. So the link in the email might say "www.paypal.com," but in fact take you to "logon.com/paypal" or anywhere else the phisher wants. If you pay attention you might notice that the information bar at the bottom of the window will usually display the actual URL address you will go to (see Andy's example above), but even that can be spoofed if the phisher can write FLASH.

Perhaps the most sophisticated phishing trick I've ever seen, at least the one that impressed me the most, was one that plays on the intended victims' emotions. They come as an email from a credit card company, or from Paypal, "confirming" your recent purchase of a $499 digital camera or a $1200 HDTV. It then includes instructions that if you did not make this charge, report it to their "fraud department" immediately, and of course includes a clickable link. Is that ironic, or just twisted? A "fraud department."

The brilliance of the deception is that most people will respond emotionally, with immediate anger. And people are least reasonable when angry. There's no telling how many people logged into the "fraud department" website, filled out all of the forms to report the "fraud," including credit card numbers, security codes, passwords, probably even their mothers' maiden names, without ever once even considering that it might be phishing.