In the case of phishing sites, the fake bank login page that you are directed to by the original email will have been copied from the real bank web site. The person behind the scam will then have added a HTML form or a link to another page that will ask for your account information. An easy way to see what has been added to the page is to download the version from the real bank site, compare the files, and look at the differences.

For this, you can use the standard Unix command diff to compare the two files, line by line. Lines that differ are output and identical lines are ignored. If consecutive lines differ in the two files, then these are output as two blocks, rather than pairs of individual lines.

The amount of whitespace at the start and end of lines can vary between similar files, downloaded from different sources. Perhaps this is a function of the browser that was used or the subsequent editing of the content. This can cause diff to report all lines as being different, which is not what you want. The -b option causes diff to ignore whitespace.

Here is an example of its output on a fake login page for http://keybank.com and the equivalent real page. The output has been edited down for the sake of readability.

            % diff -b fake.html real.html 7c7 < <link rel="stylesheet" href="http://accounts.keybank.com//ib2/ css/kco2obi.css" type="text/css" media="all" /> --- > <link rel="stylesheet" href="/ib2/css/kco2obi.css" type="text/css" media="all"/> 46c46 < <a href="login.htm?requester=signon" ...