A phishing attack is a trick e-mail sent randomly to perhaps a million recipients, and the thief counts on the numbers game aspect: Out of any given huge number of people, a significant percentage will fall for the trick.
The trick is that the e-mail contains certain information or is worded in such a way as to get the recipient to click on the link in the message. Clicking on the link brings the user to a website that then downloads malware.
Or, the website is made to look like it's from the user's bank or some other major account, asking for their account number and other pertinent information like passwords and usernames; they type it in (and it goes straight to the thief). Sometimes this information is requested straight in the e-mail's message, and the user sends the information in a direct reply.
The Google Online Security Blog did some analysis of phishing e-mails and came up with the following:
Malicious websites really do work: 45 percent of the time. As for getting users to actually type in their personal information, this happened 14 percent of the time. Even very fake looking sites went over the heads of three percent. Three percent sounds like peanuts, but what's three percent of one million?
Hasty hackers. Once the hacker gets the login information, he's into the victim's account within 30 minutes 20 percent of the time. They may spend a lot of time roaming around in the account, which often includes changing the password to keep the victim out.
Those strange e-mails. Ever get an e-mail in which the sender is a very familiar person, but the message was also cc'd to a hundred other people? And the body message only says, "Hi there!" and then there's a link? This is likely an e-mail from the victim's e-mail account (which the hacker knows how to get into), and the thief copied everyone in the victim's address book. Recipients of these phishing attacks are 36 percent more likely to fall for the ruse than if the attack comes as a single message from an unfamiliar sender.
Fast adaption. Phishing specialists are good at quickly changing their strategies to keep up with changes in security.
The Google Online Security Blog recommends: