A user's email address is obtained by an address harvester or by some other means, and a message is sent to them attempting to elicit security information and often financial information. The email often directs the user to a fake Web site. Phishing can also be carried out by using instant messaging