Phishing attacks use a variety of techniques to make the presentation of an email message or web page deceptively different from its implementation. In this section, we catalog a few of the techniques that have been seen in the wild:
- Copying images and page designs
- Similar domain names
Another way that users authenticate web sites is by examining the URL displayed in the address bar. To deceive this indicator, the attacker may register a domain name that bears a superficial similarity to the imitated site's domain. Sometimes a variation in capitalization or use of special characters is effective. Because most browsers display the URL in a sans-serif font, paypaI.com has been used to spoof paypal.com, and barcIays.com to spoof barclays.com. More commonly, however, the fake domain name simply embeds some part of the real domain: ebay-members-security.com to spoof ebay.com, and users-paypal.com to spoof paypal. Most users lack the tools and knowledge to investigate whether the fake domain name is really owned by the company being spoofed.
- URL hiding
Another way to spoof the URL took advantage of a little-used feature in URL syntax. A username and password could be included before the domain name, using the syntax http://username:password@domain/. Attackers could put a reasonable-looking domain name in the username field, and obscure the real domain amid noise or scroll it past the end of the address bar (e.g., http://earthlink.net%6C%6C...%6C@18.104.22.168). Recent updates to web browsers have closed this loophole, either by removing the username and password from the URL before displaying it in the address bar or (in the case of Internet Explorer) by simply forbidding the username/password URL syntax entirely.
- IP addresses
The simplest expedient to obscuring a server's identity is to display it as an IP address, such as http://22.214.171.124. This technique is surprisingly effective. Because many legitimate URLs are already filled with opaque and incomprehensible numbers, only a user knowledgeable enough to parse a URL, and alert enough to actually do so, is likely to be suspicious.
- Deceptive hyperlinks
- Obscuring cues
- Pop-up windows
A recent attack against Citibank customers  has taken page copying a step further, by displaying the true Citibank web site in the browser but popping up an undecorated window on top to request the user's personal information.
- Social engineering
Phishing attacks also use nontechnical approaches to persuade users to fall for the attack. One tactic is urgency so that the user will feel rushed to comply and be less likely to take time to check the message's authenticity. Another tactic is a threat of dire consequences if the user fails to comply, such as terminating service or closing accounts. A few attacks promise big rewards instead ("You've won a great prize!"), but threatening attacks are far more common. It may be human nature that users would be more suspicious of getting something for nothing.
Phishing attacks to date have several other noteworthy properties:
- Short duration
Most phishing web sites exist for a very short period of time, on the order of days or even hours.
- Sloppy language
Many phishing messages have misspellings, grammar errors, or confusing wording.