Illustration: Greg Mably

For the past few months I've been beta-testing Microsoft Internet Explorer 7. It comes with a number of new features but, because I'm a language watcher, the feature that most interested me was the Phishing Filter. Huh? Could Microsoft, as corporate and mainstream as a tech company can get, be using the jargon term phishing in its flagship Web browser? At first I figured that it must be some sort of internal code name, but no, it's the actual mass-market name of the feature.

This small ripple in the linguistic pool is a reflection not of a newfound coolness on Microsoft's part but of the phishing phenomenon itself, particularly how pervasive it has become and how most folks grasp the theory and seriousness of this vulnerability.

"Phishing" refers to creating a replica of an existing Web page to fool users into submitting personal, financial, or password data to what they think is their bank or a reputable online retailer. The term comes from the fact that Internet scammers use (increasingly sophisticated) lures to "fish" for users' sensitive data. Hackers have an endearing tendency to change the letter "f" to "ph," so "fishing" becomes "phishing." (The f-to-ph transformation is not new among hackers; it first appeared in the late 1960s among the hackers of the telephone system, who called themselves phone phreaks. There are still plenty of these phreaks around today, but often their targets are more modern. A good example is VoIPhreaking, which involves hacking voice-over-Internet-Protocol telephony systems.)

The most common ploy used by phishers is to copy the page code from a major Web site—such as AOL or eBay—and use that code to set up a replica page that appears to be legitimate. (This is why phishing is also called brand spoofing.) Fake e-mail is distributed with a link to this page, which solicits the user's credit card data or password. (If it's the latter, then the page is called a password trap.) When the user submits the form, the data go to the scammer, and the user ends up on an actual page from the company's site, so he or she doesn't suspect a thing.