(I saw all this on Slashdot, but I figure it'll benefit from a little examination. And not all of the three people who will read this frequent Slashdot, so there's no repetition anyway.)

The latest Net craze is phishing: bogus emails, pop-ups and spams which attempt to get the recipient to disclose personal or financial information. Ebay, PayPal and large banks/credit cards are the primary targets. In a nutshell, these fake messages usually try to get people to update or verify their account information. Some say that an account might be deactivated unless the person goes through some steps to keep everthing current. Others ask for an address or phone number update, but you need to "verify your identity" first. The most audacious ones inform "the customer" in as scary a way possible that someone's stolen their account info, and may even tell them to be careful of phishers when reinstating their account. Nearly all offer handy and helpful links or buttons that the user can click on to get started with the information exchange immediately. Isn't that nice of them?

Usually what happens is that those links and buttons are crafted so that they exploit features or weaknesses in most browsers and email clients such that you think you are, for example, going to Household Bank's web site. But you're really going to a very real-looking but completely fake mock-up of a Household Bank page on, say, a Russian web site. This bogus web page saves the personal information you give it, and then the people running the scam either bilk you outright or sell your personal information to people who will then either bilk you or steal your identity. Some of the more fancy phishing schemes even dump you back on a page at the real, official web site after the update or verification or whatever is over. All the better to make people think they were at Citibank's site all along, I guess.

You'd think that emails saying "Hi, we here at Paypal would like you to click this link and enter all your financial and personal information please" would get immediately canned, but phishing apparently has a success rate of about 30%. It's very scary how real some of the phishing scams can look. How many times do you look at the "hover text" when you mouse over a link? How closely do you look at URLs when you finally click that link? How many times do you open a new browser window before going to a web site where you'll have to enter confidential information? When did you disable HTML content in email? Yeah, I thought so. It's a pain in the ass to conduct yourself securely online, so most people don't.

Go take the Phishing Test and see how you do.

By the way, I got 10 out of 10 correct. Whether that's because I knew what to look for in a fake or because (I use a text-only email client) I've never seen a real email from a bank before and so couldn't get lulled into complacency by a logo or whatever, I don't know. I suspect a combination of the two. Because they were all basically new to me, I did read over the email for each question pretty carefully looking for clues. Any spelling or grammar errors, for instance, immediately got it tagged as fake. Whether I'd scrutinize an email in my inbox that closely I don't know. I would pick up on fake URLs. I have to manually copy links in emails and paste them in a separate web browser window in order to view them, and I'd probably notice I was pasting links like http://. Actually, I'd probably just delete the email, even if it was legitimate. If my bank or credit card company wants to deal with me, they can buy a stamp. There are some things the Internet isn't good for.