How They Do It
Be extremely careful when upon receiving html email you have to click on some embedded html code that is supposed to lead you to an external web page. There you are expected to give some personal credentials, to update a user profile because your account has been disabled/compromised, etc. Name it, the list is long! It’s almost 100% garanteed to be a phishing expedition.
As a matter of fact, I will state the following for the record:
BIC SYSTEM ADMINISTRATORS WILL NEVER EVER REQUEST/SOLLICIT PASSWORDS AND/OR OTHER USERS SENSITIVE CREDENTIALS VIA EMAIL. IF YOU RECEIVE SUCH A REQUEST YOU ARE BEING TAKEN FOR A RIDE BY AN IMPOSTER!
McGill University abides by the same policy.
Now to the phish.
You can always compare the html code to the ascii versіon — if your email client allows you to do so, that is. Invariably the html code will contain a record pointing to a compromised or harvesting site.
The canonical way they (the phishers) proceed is displayed in the following piece of html code / phish bone:
<href="http://iamaphisher.com">http://my-online-banking.com/mail_update
By clicking on what was supposed to be, say your online banking account ( http://my-online-banking.com/mail_update , which doesn’t exits btw) you end up on http://iamaphisher.com . There they have programmed a page that mimics the site they want you to believe you are browsing. You naively enter the info/credentials as requested. And you just have been phished.
Of course, this is just a naive example: no bank of repute would ever use a non-secured web site for its operation, but you get the gist.
If you want to report a purportedly phishing/spamming attempt always include the FULL body of the email along with the envelope and the headers, not just the html-rendered portion. And strip the email of all attachments, they are useless for us, maybe even potentially dangerous.
I understand this is not always possible: it depends on your mail client and some don’t provide this functionality. Sigh. All good text-based email clients ( mutt , pine , etc) provide this but sadly I don’t know of a web-based email client that does so. Hence the popularity and dangers of phishing expeditions.