JOHN YDSTIE, host:
On Fridays, we talk about your money, and today we're going to talk about scammers who go phishing for your money online - that's phishing with a P-H, not a rod and reel. Phishers send out counterfeit e-mails, which lead you to fake Web sites, which then ask you for financial or personal details.
It's easy enough to fall for it. In fact, our own Tom Regan was led down this phishy path recently. He's the host of the NPR News Blog and he joins us now.
TOM REGAN: Thank you.
YDSTIE: Tell us what happened to you. How did you caught in one of these traps?
REGAN: Well, I almost got caught. Therein lies my tale. And I think, John, it's the way that most people do get caught. I was going along and I saw this e-mail and I opened it up. And it looked very similar to one from my financial institution, one of them. So I clicked on it and it said log in with your username and password. So I put in my username and then I looked at the URL. And that's when I knew right away I had made a mistake, because the URL was not the URL of my financial institution.
So what I did was I closed out the browser immediately. I went to the correct URL. I changed my password. I got lucky.
YDSTIE: So are there other ways that you can tell that a Web site is real or fake?
REGAN: I think the URL is really one of the most important keys, because as much as these phishers and scammers can do, they really can't duplicate the exact URL of a bank or a credit card company. So here's a great example - PayPal, a popular tool that everybody uses to pay online.
Often what they'll do is, they'll put in rather than the L, for instance, in PayPal, they will use a letter 1, which looks exactly like an L, right? They count on people not to notice that. They'll slightly misspell a word, so it will come out maybe PilPal, but people are busy and they don't notice. They click on it and they go.
The other one you got to watch for is H-T-T-P-S. Normally that's a sign of a secure site. Look down at the bottom. If the little lock, you know there's that little lock at the bottom of the browser? Well, if it's open, it's not secure.
YDSTIE: Another common place for phishing expeditions is job sites. Last week researchers discovered a fraud on Monster.com. Hackers had managed to get access to the names and IDs of hundreds of thousands of jobseekers. How big a risk is it to use one of these sites?
REGAN: It's always a risk. Is it a big risk? That depends. I think in a case like that where you've got a big database of information - phishers love that. If they can find a way to crack it - the individual little person is not so much, but if they can get in to a big database of information, ooh, that's juicy.
YDSTIE: Now, if one of these phishers gets their hands on your user log in and bank password, it's pretty obvious what they can do. What about other information like name, Social Security number, that sort of thing.
REGAN: Yeah. They can use all that stuff. They'll take anything they can get. That's why I was so worried at first when I gave them my username, even though I didn't give them my password, why I went immediately and changed my username, because even just getting that little bit of information, maybe they can use that in some way.
Even that, you know, what's your mother's maiden name, they're phishing constantly for any little bit of information that they can find that they can use to get access to your money. Some people say maybe the best thing to do is not give any information. But that's also deprives you of the chance to use a lot of these great tools that allow you to bank online from home, not have to stand on a line in the bank for 30 minutes. You have to weigh the risks, I think.
YDSTIE: Tom Regan is host of the NPR News Blog. You can see his tips on how to protect yourself against phishing at npr.org.