More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims.

Spear-phishing, say security specialists, is much harder to detect than phishing. Bogus e-mail messages and Web sites not only look like near perfect replicas of communiqués from e-commerce companies like eBay or its PayPal service, banks or even a victim's employer, but are also targeted at people known to have an established relationship with the sender being mimicked.

"After three unsuccessful attempts to access your account, your Online Profile has been locked. This has been done to secure your accounts and to protect your private information. You may unlock your profile by going to: …"

Sounds like a normal phishing e-mail, right? But what if the e-mail seemed to come from the head of IT at your small business, warning about your company account? Would you click the link?

Today's phishers hope so. In fact, the excerpt above didn't appear in the usual global barrage of e-mail sent out to catch recipients with eBay or PayPal accounts. Instead, it went exclusively to students and faculty of the University of Kentucky as part of a directed, or "spear-phishing," attack against the small, 33,000-member university credit union this May.

The APWG is still reviewing and receiving proposals for this meeting. The working agenda for the meeting as of August 20, 2004 is as follows:

Spear Phishing: What Happens when Phishers optimize the "list-creation" aspect of phishing?