“Phishing” is the act of sending an e-mail to a user falsely claiming to be an established, legitimate enterprise in an attempt to scam the user into surrendering private information that may be used for illicit purposes. Typically, such an e-mail directs the user to visit a Web site where the user is asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user's information.
Phishing is growing in sophistication and cost to end users and financial institutions, and accounts for a significant portion of the traffic in malicious e-mail. Attackers have ditched virus and worm development and replaced that with increasingly sophisticated phishing campaigns, some of which are extremely targeted. Electronic newsletters, for example, which are often filtered out by spam filters, can be spoofed. It is often impossible/insecure to “unsubscribe” to such newsletters, because links in spam are often not trusted. Consequently, the “unsubscribe” link may not be used. And once an email address is given out, a recipient cannot guarantee that it will not be used for aggressive marketing or sold out to spammers.
It would be desirable, therefore, if a mechanism were available to protect electronic newsletters and other e-commerce sites from being easy targets for phishing. It would also be desirable if a clear, differentiated channel were available for transactional email (e.g., orders, statements, etc.).