# What is pharming and how do you prevent it?

> Pharming redirects you to fake websites by corrupting DNS or your hosts file to steal logins. Learn how pharming works and how to prevent it.

Pharming is an attack that silently redirects you from a legitimate website to a fraudulent copy in order to steal your credentials or payment details. It works by corrupting the address-lookup step of browsing — either the DNS system that turns a domain name into an IP address, or the local settings on your device — so that even typing the correct web address lands you on the attacker's server. You prevent it by hardening DNS, patching devices, checking for HTTPS, and stopping the phishing that usually plants the malware in the first place.

## Quick Takeaways

- Pharming redirects a correct web address to a fake site by tampering with DNS resolution or a device's local settings.
- The name blends "phishing" and "farming": it harvests victims at scale without needing them to click a bad link.
- There are two forms — host-based pharming (malware alters your device) and DNS-based pharming (a DNS server or cache is poisoned).
- Unlike phishing, pharming can catch you even when you type the URL yourself, which makes it harder to spot.
- Defenses include DNSSEC, a trusted resolver, patched systems, a locked-down router, and always confirming the HTTPS padlock.
- Because pharming malware often arrives by email, [SPF](/tools/spf), [DKIM](/tools/dkim), and [DMARC](/tools/dmarc) cut off a common infection route.

## What is pharming?

Pharming is a redirection attack. When you visit a website, your device asks a DNS resolver to translate the human-readable domain (like `yourbank.com`) into the numeric IP address of the server that hosts it. Pharming corrupts that translation so the domain resolves to an IP address the attacker controls. Your browser loads a pixel-perfect fake of the real site, you enter your username and password, and the attacker captures them.

The word is a mash-up of "phishing" and "farming." Where classic phishing lures one victim at a time with a convincing message, pharming quietly "farms" many victims by poisoning infrastructure they all rely on. Nothing in the address bar looks wrong — you typed the right domain, and the page looks right — which is exactly why pharming is dangerous.

## How does pharming work?

Pharming attacks fall into two broad categories, defined by where the tampering happens.

**Host-based pharming** targets your individual device. Malware — often delivered through a [phishing email](/learning/what-is-phishing) or a malicious download — edits your local `hosts` file or changes your configured DNS servers. The `hosts` file is checked before any external DNS lookup, so a single forged line silently reroutes a domain for that machine. A related tactic hijacks your router's DNS settings, which poisons lookups for every device on the network. See [how a DNS changer affects your internet](/learning/how-does-a-dns-changer-affect-your-internet) for how that router-level manipulation plays out.

**DNS-based pharming** attacks the naming system itself rather than your device. In [DNS cache poisoning](/learning/dns-poisoning-redirects-prevention), an attacker feeds forged records into a resolver's cache so that everyone using that resolver is sent to the wrong IP address until the record expires. Attackers may also compromise the authoritative DNS server for a domain or hijack the domain's registrar account. Because the poison sits upstream, this form scales far beyond a single victim.

Both routes end the same way: the address is correct, the destination is not.

## How is pharming different from phishing?

Phishing and pharming share a goal — stealing credentials by impersonating a trusted site — but they differ in method. Phishing depends on you taking the bait: clicking a link, opening an attachment, or trusting a spoofed sender. Pharming removes that step. Once DNS or your device is compromised, you can navigate to the real address from a bookmark and still land on the fraudulent page.

That silence is what makes pharming harder to catch. There is no suspicious link to hover over and no misspelled domain in the address bar. For a broader look at how impersonation attacks trick recipients, compare [phishing versus spoofing](/learning/phishing-vs-spoofing-whats-the-difference) and the wider family of [social-engineering attacks](/learning/common-social-engineering-attacks-protection). In practice the two overlap: pharming malware is very often seeded by a phishing email, so the defenses reinforce each other.

## How do you prevent pharming as an individual?

Most host-based pharming starts with malware, so the fundamentals matter most:

- **Keep everything patched.** Update your operating system, browser, and security software so known vulnerabilities can't be used to plant redirection malware.
- **Run reputable anti-malware** and let it scan downloads and email attachments before you open them.
- **Check for HTTPS every time.** A pharming site has the right domain in the address bar but usually cannot present a valid TLS certificate for it. If the padlock is missing, or the browser warns that the certificate doesn't match, stop — that mismatch is one of the few reliable tells.
- **Secure your router.** Change the default admin password, apply firmware updates, and disable remote administration. A hijacked router poisons DNS for your whole household or office.
- **Use a trustworthy DNS resolver** — ideally one that validates DNSSEC — instead of whatever an untrusted network hands you.
- **Be sceptical of email links.** Since the initial malware usually arrives by mail, learn to [spot fake emails](/learning/how-can-you-spot-fake-emails-and-protect-yourself-from-scams) and avoid the download that starts the chain.
- **Enable multi-factor authentication.** If a pharming site does capture your password, a second factor stops it from being enough on its own.

## How do site owners and MSPs defend against pharming?

If you run the domains your customers trust, the goal is to make your DNS hard to forge and your infection routes hard to use.

- **Sign your zone with DNSSEC** so resolvers can cryptographically verify that DNS answers for your domain are genuine and reject poisoned records.
- **Lock down registrar and DNS accounts** with strong, unique credentials, MFA, and registrar/registry locks to prevent domain hijacking.
- **Serve HTTPS everywhere and enable HSTS** so browsers refuse to load your site over plain HTTP or with an invalid certificate — which blunts the fake-site step of pharming.
- **Monitor your DNS records** for unexpected changes, and watch for [lookalike domains](/learning/how-can-i-take-down-lookalike-domains) that attackers register to support redirection campaigns.
- **Stop email-borne malware at the door.** Publish [SPF](/tools/spf) and [DKIM](/tools/dkim), then enforce [DMARC](/tools/dmarc) so attackers can't send pharming malware *as your domain* to your own users and customers.

## Common issues with detecting and stopping pharming

### The website looks completely normal — how would I know?

You often won't from the page alone, because pharming reuses the real design and the real domain name. The most dependable signal is the certificate: a genuine site presents valid HTTPS for its exact domain, while a pharming server usually cannot. Treat a certificate warning, a downgraded HTTP connection, or an unexpected login prompt as a reason to stop and verify.

### I cleaned the malware but I'm still being redirected

Redirection can live in more than one place. Check the local `hosts` file, your device's DNS settings, *and* your router's DNS configuration — attackers frequently change several at once. If a resolver's cache was poisoned, the bad record can also persist until it expires, so flushing your DNS cache and switching to a validating resolver helps.

### Only one device is affected, not the whole network

That pattern points to host-based pharming — malware or a modified `hosts` file on that single machine — rather than a poisoned upstream resolver. Isolate the device, run a full anti-malware scan, and reset any credentials entered while it was compromised.

## Frequently asked questions

**Is pharming a type of phishing?**
They are cousins, not the same thing. Both impersonate trusted sites to steal data, but phishing relies on tricking you into clicking, while pharming redirects you automatically by corrupting DNS or your device. Pharming is often *delivered* by a phishing email, which is why the two are discussed together.

**Can HTTPS alone stop pharming?**
It's one of your strongest checks but not a complete fix. A correctly configured HTTPS site with HSTS makes it very hard for a fake server to impersonate the real domain, because it can't present a valid certificate. Still pair it with patched devices, a trusted resolver, and DNSSEC.

**Does DMARC stop pharming?**
Not directly — DMARC governs email, not DNS resolution or web traffic. But because pharming malware usually arrives in email, enforcing DMARC (alongside SPF and DKIM) removes a major delivery channel attackers use to plant it in the first place.

**What should I do if I think I've been pharmed?**
Disconnect the device, scan it for malware, inspect the `hosts` file and DNS settings on both the device and the router, and reset any passwords you may have entered on the fake site — from a known-clean device.

Pharming thrives on trust in a domain, and email is one of the main ways the malware behind it spreads. Palisade automates that side of the defense: it monitors your SPF, DKIM, and [DMARC](/tools/dmarc) records, shows you who is sending mail using your domain, and walks you to enforcement so attackers can't use your name to deliver the next attack. Start with a free scan from the [Email Security Score](/tools/email-security-score) tool.

## Related reading

- [What is phishing?](/learning/what-is-phishing)
- [DNS poisoning: how redirects happen and how to prevent them](/learning/dns-poisoning-redirects-prevention)
- [Common social engineering attacks and how to protect against them](/learning/common-social-engineering-attacks-protection)
