At my day job, phishing is a big deal because we are sometimes involved in the identification and takedowns. Bruce Schneier has an interesting post pointing to two studies of phishing when you spoof headers to make it appear to originate with a friend or present the first 4 digits of a credit card (which are fixed across companies and there exists only a few combinations) and then ask for the last 4. The common theme is how easy is it to counterfeit trust. There is one dodgy bit of math in Bruce’s comments, though:
Another attack comes to mind. You can write a phishing e-mail that simply guesses the last four digits of someone’s credit-card number. You’ll only be right one in a thousand times, but if you send enough e-mails that might be enough.
Umm, no. That would be one in 10,000 my friend. The idea holds but the frequency is wrong.