NPR logo NPR

Beware of E-Mails 'Phishing' for Dollars and More

A phishing e-mail pretending to be from Citibank. Enlarge image i

A phishing e-mail pretending to be from Citibank.

FDIC
A phishing e-mail pretending to be from Citibank.

A phishing e-mail pretending to be from Citibank.

FDIC

In the News

Tom Regan in the 'Christian Science Monitor'

Examples of 'Phishing'

The most common form of phishing is an e-mail pretending to be from a legitimate retailer, bank, organization or government agency. The sender asks to "confirm" your personal information for some made-up reason:

  • Your account is about to be closed.
  • An order for something has been placed in your name.
  • Your information has been lost because of a computer problem.
  • Phishers say they're from the fraud departments of well-known companies and ask to verify your information because they suspect you may be a victim of identity theft.
  • In one case, a phisher claimed to be from a state lottery commission and requested people's banking information to deposit their "winnings" in their accounts.

Source: National Consumers League

It happens countless times a day. People receive e-mails from what looks to be a familiar company — their bank, credit card company or another organization. It looks legitimate, often featuring a company logo, but something just isn't right.

Online "phishing" scams reel in unsuspecting users, who can have their personal information, identities and money stolen by unseen thieves.

Tom Regan, host of the NPR News Blog, recently had a close call with a phisher. He talks to John Ydstie about what happened and how to avoid being a phishing victim.

"I think it's the way most people do get caught," Regan says of his phishing encounter. "I wasn't paying any attention to what I was doing."

He opened an e-mail that looked very similar to one he received from his bank. It asked him to log into the site by entering a user name and password. Regan filled in his user name but then looked at the Web address.

"That's when I knew right away I had made a mistake because the URL was not the URL of my financial institution," he says.

He closed the browser immediately, went to the correct Web site and changed his password.

"I got lucky," he says.

In most cases, phishers and scammers can't duplicate the exact URL of a bank or a credit card company. But they try to make it appear as if they're a legitimate site.

For example, in faking the Web address for PayPal, a popular online payment tool, phishers will use the number "1" instead of the letter "l" in the company's name.

"They count on people not to notice that," Regan says. "They'll slightly misspell a word ... but people are busy and they don't notice. They click on it and they go."

Also, watch out for https at the beginning of the URL. Normally, that's a sign of a secure site. If the tiny lock at the bottom of a browser is open, the site is not secure.

Your name, birth date, Social Security number and mother's maiden name can all be used by online thieves.

"They're phishing constantly for any little bit of information that they can find that they can use to get access to your money," Regan says.

In the end, you have to weigh the risks of convenience against security.

How to Protect Yourself from 'Phishers'

An 'https' at the beginning of a URL usually indicates a secure Internet connection. Enlarge image i

An "https" at the beginning of a URL usually indicates a secure Internet connection.

NPR
An 'https' at the beginning of a URL usually indicates a secure Internet connection.

An "https" at the beginning of a URL usually indicates a secure Internet connection.

NPR

Read tips on protecting yourself from "phishing" and other online scams.

  • If you get an e-mail or pop-up message that asks for personal or financial information, do not reply. And don't click on the link in the message, either. Legitimate companies don't ask for this information via e-mail.
  • If you are concerned about your account, contact the organization mentioned in the e-mail using a telephone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address yourself. In any case, don't cut and paste the link from the message into your Internet browser — phishers can make links look like they go to one place, but that actually send you to a different site.
  • Use anti-virus software and a firewall, and keep them up to date. Some phishing e-mails contain software that can harm your computer or track your activities on the Internet without your knowledge.
  • Don't e-mail personal or financial information. E-mail is not a secure method of transmitting personal information.
  • If you initiate a transaction and want to provide your personal or financial information through an organization's Web site, look for indicators that the site is secure, like a lock icon on the browser's status bar or a URL for a Web site that begins "https:" However, no indicator is foolproof; some phishers have forged security icons.
  • Review credit card and bank account statements as soon as you receive them to check for unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
  • Be cautious about opening any attachment or downloading any files from e-mails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer's security.
  • Beware of "pharming," in which a virus or malicious program is secretly planted in your computer and hijacks your Web browser. When you type in the address of a legitimate Web site, you're taken to a fake copy of the site without realizing it. Any personal information you provide at the phony site, such as your password or account number, can be stolen and fraudulently used.
  • Never enter your personal information in a pop-up screen. Sometimes a phisher will direct you to a real company's, organization's, or agency's Web site, but then an unauthorized pop-up screen created by the scammer will appear, with blanks in which to provide your personal information. If you fill it in, your information will go to the phisher. Legitimate companies, agencies and organizations don't ask for personal information via pop-up screens. Install pop-up blocking software to help prevent this type of phishing attack.
  • Phishing can also happen by phone. You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.
  • Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for your Social Security number and other personal information. Follow the advice above and verify the person's identity before providing any personal information.
  • Act immediately if you've been hooked by a phisher. If you provided account numbers, PIN numbers, or passwords to a phisher, notify the companies with whom you have the accounts right away. For information about how to put a "fraud alert" on your files at the credit reporting bureaus and other advice for ID theft victims, contact the Federal Trade Commission's ID Theft Clearinghouse.

Sources: OnGuardOnline.gov, National Consumers League

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

NPR logo NPR