In the classic 1973 heist movie The Sting, two con men—played by Robert Redford and Paul Newman—build a fictitious world in a Depression-era Chicago basement to defraud a corrupt banker. They make an offtrack-betting room, hire actors to ensure the scene is convincing, and even enlist pretend law enforcement to fake-bust their mark. The film is memorable because it is one of the finest movies in the genre, well written and funny, but also because the duo’s work is so meticulously detailed.
The con has changed since then, both short and long. In this age, the online equivalent of The Sting is a phishing site: a fake reality that lives online, set up to capture precious information such as logins and passwords, bank-account numbers, and the other functional secrets of modern life. You don’t get to see these spaces being built, but—like The Sting’s betting room—they can be perfect in every detail. Or they can be thrown together at the last minute like a clapboard set.
This might be the best way to think about phishing: a set built for you, to trick information out of you; built either by con men or, in the case of the recent spear-phishing attack caught and shut down by Microsoft, by spies and agents working for (or with) interfering governments, which seems a bit more sinister than Paul Newman with a jaunty smile and a straw hat.
But that’s the untargeted stuff. Enticing someone to click on a phishing link, in an email or elsewhere, is where a targeted attack, also known as spear-phishing, comes in: learning about someone’s life and habits to know just what email would get them unthinkingly to click. A reality built for one person, or one cohort of people. The con is on, the set is built, and the actors are hired to make the sting, all from a web browser.