My dear Wormwood,

Thank you for your email. There's no need to take such a harsh tone; I know my obligation and was just on the point of writing to you again to follow up my first letter.

After you've built your phishing site, you'll need somewhere to host it. These days, sites are usually hosted on compromised machines with broadband connections. However, there's no need to go to the effort of breaking into one yourself. There are specialists who do that for us in an automated fashion, so effectively that the price for control of a single machine is only a few US dollars. It amuses me to think of the unsuspecting people who have paid thousands for their "Ultimate Ninja Games Machine", only to have full control of it sold or rented to you by some "script kiddie" for a pittance.

A site without traffic is nothing, and so we must now turn our minds to publicity. Here, e-mail is king, partly because of its greater perceived legitimacy – after all, who expects their bank to send them an instant message? - but also because we can leverage the existing mass-mailing infrastructure set up by the spammers.

There are three main ways to obtain e-mail addresses. The first is to harvest them from the web. However, people whose addresses are available this way are mostly wise to phishing. Another ploy is to pick a popular e-mail domain, such as hotmail.com, and go through lots of different combinations of names, surnames and initials in the hope of getting lucky. This has a fairly low hit rate.

You can also purchase lists of addresses, but quality is not guaranteed. So none of these methods is particularly satisfactory. Innovation in this area is one of the ways you can best improve your success rate; virgin addresses are hard to come by.

Writing your e-mail is where you can let your creative side show itself, and this art distinguishes the great phisher from the pretender. The best lures create an unease and a sense of urgency, scaring the user into acting before thinking. So, such lines as "Account lockout imminent" and "Important security check" both tend to get good results. Remember, your email will be far more convincing if you spell everything correctly, puzzlingly a point neglected often.

Once your lure is written, you need to send it out. The spammers have the expertise here, and you'd be well advised to sub-contract. Timing is also key. Once you send it, you are announcing the existence of your site to the world, including the law, who will immediately start trying to shut it down. You can delay this process by having your lure sent out on a Friday night. That way, the owners or system administrators of your host will be harder to contact, buying you a few more precious hours.

Next, sit back and wait for the harvest. If you've done all the previous steps right, a steady stream of useful data should be flowing in your direction. But you still need to turn the information into money, and it's not as easy as just logging in and making a transfer to yourself. That's the fastest way to have the police at your door. You need to launder the money, and that means cash. Fortunately, this is another area where you can get someone else to do your dirty work.

"Mules" extract money from bank accounts and post it to you. They can be either knowing or unwitting – the knowing ones are more professional, but take a larger cut. Unwitting ones are recruited via e-mail suggesting they earn extra money working from home as the local financial representative for an international company. It's amazing that people fall for such transparent ploys, but wonderfully they do. A promise of money is a great antidote to common sense.

Once the brown envelopes arrive, you are laughing. Speaking of which, is that the postman I hear at the door? He does seem to be knocking rather hard. Maybe the package won't fit through the letterbox. I'll send this off, and go and investigate.

Yours ever,

Screwtape

(With further apologies to CS Lewis)

For more on online fraud, click here

Gervase Markham works for the Mozilla Foundation, a non-profit organisation dedicated to promoting choice and innovation on the internet. His blog is Hacking for Christ

Explore Industry Sectors

• Banking & Finance

• Construction & Property

• Consumer Goods

• Engineering

• Health

• Industrials

• Leisure

• Media

• Natural Resources

• Retailing

• Support Services

• Technology

• Telecoms

• Transport

• Utilities

Times Recommends

• B&B shareholders forced into funding rescue
• John Lewis department store sales plunge 8.3%
• Families turn to credit to cover mortgage bills