Wormwood,

I must confess that I was taken aback by your e-mail requesting that I share with you the secrets of my phishing success. But I am impressed with the audacity of your request, your ability to find a way to contact me and, perhaps most importantly, that you have discovered my real name. Given that fact, and that I have now made quite enough money to live on comfortably, I probably should pass on my knowledge to a successor and retire gracefully.

The first step on the road to becoming a master phisher is to pick a jurisdiction from which to operate. Sadly, given the requirement for a reasonable internet connection, there are fewer places where one can go to earn a decently dishonest living in peace. Current popular haunts include eastern Europe, Russia, and that old favourite, South America.

Once safely entrenched, it's time to pick your target. The traditional companies, such as Paypal and the major American banks, are now rather passé, and eBay phishes have become less effective with the introduction of countermeasures in the eBay toolbar; which blocks access to known spoof sites.

No, the way of the immediate future is micro-marketing - focusing on smaller financial institutions such as credit unions and local banks. They have fewer customers, but you only need to reach handful of gullible (although I like to call them "generous") ones to make it all worthwhile.

Another option is the "novelty phish", where one picks up on recent or upcoming events and plays on the sympathies of the general public. One associate of mine had great success "raising campaign funds for George Bush" at around the time of the last US Presidential election. Similar, more recent efforts have involved Hurricane Katrina. The key to success here is picking a subject where the heart will overrule the head. People are credulous creatures, eager to believe. You must make it easy.

So, once you have chosen your target, you must construct a convincing site. A quick and easy way is to save the real thing from your browser and tweak it to send the information back to yourself. Modern browsers make this particularly easy, as you can "Save Entire Page" to capture all of the associated images and style sheets.

Alternatively, and rather cheekily, you can copy the code from a site being used by another member of the community. After all, I'm sure you get as much phishing e-mail as I do, and many of the sites offered are rich sources of good quality material.

The next step is to register a convincing domain name. So, if your target is mybank.com, register something like mybank-online.com or mybankinc.com. Consumers usually don't know exactly which domains their bank operates from – and, in fact, many banks help us out by using multiple domains and redirecting between them seemingly at random, adding to a delicious feeling of confusion in the user's mind.

When you hit the big leagues, you'll be hosting multiple sites on networks of zombie computers, aka "botnets", made up from the home PCs of unsuspecting, ordinary people who haven't yet realised the need to use a firewall and to not run executable attachments sent to them by e-mail. At that point, you probably won't bother registering a domain for each site. Most people careless enough to fall for phishing scams are happy to put their credit card number into any form which asks for it politely, domain name or no domain name.

The same applies to SSL (that little padlock icon); as getting an SSL certificate usually requires revealing information about yourself, and as laudably many consumers don't bother themselves with the indicators put into browsers for their benefit, I wouldn't bother.

It's getting late, and I must retire to bed. However, that should have given you a great deal to think about. I must confess, I'm rather enjoying documenting my methods; its given me many opportunities to reminisce. When I next find the time, I will write to you of the steps required to attract "visitors" to your newly-minted site, and the safest ways to use the information obtained.

Yours cordially,

Screwtape

(With apologies to CS Lewis)

Read Screwtape's further missive here.

Gervase Markham works for the Mozilla Foundation, a non-profit organisation dedicated to promoting choice and innovation on the internet. His blog is Hacking for Christ

Explore Industry Sectors

• Banking & Finance

• Construction & Property

• Consumer Goods

• Engineering

• Health

• Industrials

• Leisure

• Media

• Natural Resources

• Retailing

• Support Services

• Technology

• Telecoms

• Transport

• Utilities

Times Recommends

• B&B shareholders forced into funding rescue
• John Lewis department store sales plunge 8.3%
• Families turn to credit to cover mortgage bills