Since most people won't reveal their bank account, credit card number or password to just anyone, phishers have to take extra steps to trick their victims into giving up this information. This kind of deceptive attempt to get information is called social engineering.
Phishers often use real company logos and copy legitimate e-mail messages, replacing the links with ones that direct the victim to a fraudulent page. They use spoofed, or fake, e-mail addresses in the "From:" and "Reply-to" fields of the message, and they obfuscate links to make them look legitimate. But recreating the appearance of an official message is just part of the process.
Most phishing messages give the victim a reason to take immediate action, prompting him to act first and think later. Messages often threaten the victim with account cancellation if he doesn't reply promptly. Some thank the victim for making a purchase he never made. Since the victim doesn't want to lose money he didn't really spend, he follows the message's link and winds up giving the phishers exactly the sort of information he was afraid they had in the first place.
In addition, a lot of people trust automatic processes, believing them to be free from human error. That's why many messages claim that a computerized audit or other automated process has revealed that something is amiss with the victim's account. The victim is more likely to believe that someone has been trying to break into his account than believe that the computer doing the audit made a mistake.
Next, we'll look at the technical aspects of creating a phony message.