Typically, you receive an email that appears to come from a reputable organization, such as:
Social media (Facebook, Twitter)
Online services with access to your financial information (e.g., iTunes, student loans, accounting services)
Departments in your own organization (from your technical support team, system administrator, help desk, etc.)
The email includes what appears to be a link to the organization’s website. However, if you follow the link, you are connected to a phony copy of the website. Any details you enter, such as account numbers, PINs or passwords, can be stolen and used by the hackers who created the bogus site.
Sometimes the link displays the genuine website but superimposes a bogus pop-up window.
You can see the address of the real website in the background, but the details you enter in the pop-up window can be stolen.
To better protect against phishing attacks, it’s good practice not to click on links in email messages. Instead, you should enter the website address in the address field and then navigate
to the correct page, or use a bookmark or a Favorite link.
Phishing attacks via email are beginning to include an offline aspect to convince well-trained users to still leak information. We have seen phishing schemes use phone numbers and fax numbers in addition to websites.
Anti-spam software can block many phishing-related emails, and web security software can block access to phishing-related websites.