How would a gold farming company get my account and password?

Solution 1:

The most common methods these gold farming companies use to get account info are:

  • Phishing
    • Most of these attacks, as you mention, come through emails. Always check the domain of the link (the actual URL you will be directed to, and not what is displayed in the text of the link!) on any emails you get relating to WoW (or any other game... or emails in general!). Also check for misspellings. It is amazing how intricate these scams can be, yet simple spell-check is apparently too difficult. Phishing attacks don't always come through email, though. Some websites are designed to phish for WoW account information as well. Be wary of any site that asks you to log in.
  • Key Loggers

    • There are many malware apps and viruses out there that will install key loggers on your machine, which will then transmit your information to the farming companies. Keep your anti-virus definitions up to date, be wary of what sites you surf, and be careful of installing any suspicious WoW add-ons!.
  • Brute Force

    • This seems much less likely, but if you have a weak password it might be possible.

The authenticator from Blizzard is supposed to be an excellent tool to protect your account.

Regarding your second question, yes, it most likely is illegal (there have been a number of cases around the world of people being successfully prosecuted for virtual theft), however, the chances of you successfully pursuing such a case within the context of a WoW account theft are almost non-existent. Most of the primary gold farming companies are located in countries where the government either honestly doesn't care, or actively protects their citizens in these endeavors.