Phishing is an attempt by a malicious actor to acquire sensitive information such as usernames, passwords, and credit card details, etc. by luring users to a fake website masquerading as a trusted website. Some websites help users identify trusted websites by requiring user to select a personal image. That personal image is displayed by a trusted website at each login attempt. Only after a user has identified the personal picture are they allowed to provide their credentials and login.
However, many users enter their credentials even if the personal image is absent or incorrect. Moreover, even if the image is correct, a malicious actor can fake the personal image by capturing a screenshot of the trusted web site while it is displaying the user's personal image. The captured image can then be displayed in the phishing website. Finally, most websites ask users to select their personal image from a small set of pre-selected images. A phishing website can display a random image from that set to users when they attempt to login. At least some combinations of image and user would be a match the user and image displayed by the trusted website.