Phishing is an attack that uses email or Web site content to trick victims into doing things that they would not normally do. Phishers succeed by establishing a sense of trust with the victim. The general class of such attacks is known as social engineering attacks. Examples of social engineering attacks include:

• Calling an employee posing as a service desk technician and asking for the employee’s password to troubleshoot a problem with network logins.

• Sending a legitimate-looking email claiming your account with a well-known online retailer has been compromised and requesting you click an embedded link to go to a form that will allow you to update your password.

• Requesting that users take a brief survey about customer services in return for a cash payment. The link provided in the email links to a phishing site that downloads malicious software, such as a keylogger that captures usernames and passwords for banking and other financial services businesses.

 
As these examples demonstrate, the typical phishing attack includes a multi-step process:

1. Establish the victim’s trust using a “lure,” typically an email that appears legitimate.

2. Convince the user to take an action that will enable the capture of confidential
information.

3. When the action in step 2 is taken, collect the confidential information and terminate the session.

Phishers have developed multiple techniques for each of these steps