This can be confused with Cross-Site Scripting (XSS), the effect is about the same, but the method is quite different.
In Cross-Site Scripting (XSS) the scumBag.net virus site has stolen Dave's log in by reading goodSite.com's cookies (see XSS for more)
in Cross Site Request Forgery (CSRF) scumBag.net "guesses" that Dave is logged in to goodSite.com, and sends it instructions.
scumBag.net sends out spam email to everyone in the UK, that looks like its from LastCityBank.com
The email is advertising a discount at SendFowersToYourMum.net for LastCityBank.com customers
Dave clicks on the link to SendFlowersToYourMum.net because its his mum's birthday, and it sounds like a great deal
On arriving at SendFlowersToYourMum.net, none of the links seem to work, so Dave goes away and finds another florist.
But it turns out that SendFlowersToYourMum.net, as a part of the scumBag.net network, sent a request to LastCityBank.com to transfer £1000 to a bank account in Mauritius
If Dave was not logged in at the time, no harm done,
but if he was logged in, well he might have just been relieved of £1000
At least mum got some flowers
We can't speak for LastCityBank.com, but most real banks have blocked this, by asking you to verify the transfer via your phone, or an app, or email
3rdKey.com creates a special "token" for every web page, and any request must have that "token" in order for us to process it. Additionally, we keep some data in sessionstorage so scumbag.net doesn't have the information it needs to fool us.
So scumbBag.net can never "fake" a request at 3rdKey.com