RENEE MONTAGNE, host:
One of the things that computers have made easier is giving away your bank account number and password to the wrong person. Until recently scam artists engaged in phishing - that's spelled with a P-H - focused on sending out e-mails that tried to trick users into giving up the passwords to their financial accounts. Now these assaults are getting more sophisticated as NPR's Jack Speer reports.
JACK SPEER: Scott London(ph) is an attorney in Santa Barbara, and he thinks of himself as Internet savvy, not the sort of person who gets taken in by online scams - until he did.
Mr. SCOTT LONDON (Attorney): Everything just seemed like it was on the up and up. There was nothing that led me to believe that I was on an improper site. In hindsight, of course, I look at it and say what an idiot I was. Why didn't I see this.
SPEER: London had recently bought a bike and a set of skis on eBay. So he wasn't surprised when he got an e-mail claiming to be from the payment service, PayPal. The e-mail asked for some information, then took him to a Web site he says looked exactly like the real PayPal site. He put in his password. Almost immediately London knew something was up because money started disappearing from his accounts.
Mr. LONDON: It's one of those things. You're just going through your e-mails, you're not giving 100 percent of your attention to what you're doing. And it slips by, and before you know it you're getting a phone call from a watchdog organization saying, hey, you're in trouble.
SPEER: London was lucky someone saw his personal information on an online chatroom and called to alert him. He put a hold on his accounts. Experts say cases like London's have become increasingly common.
Mr. GEORGE TUBIN (Analyst, The Tower Group): There's a whole industry out there - it's actually an organized crime in the U.S. as well as in foreign countries - that actually works as a big business.
SPEER: George Tubin is an analyst with The Tower Group. He says for around $1,000 criminals can now buy software called a universal phishing kit. The software let's them set up what's known as a man-in-the-middle phishing attack where they create a phony Web site that actually sits between an unsuspecting computer user and a real Web site. It can even use some of the bank site's interactive features to fool user into believing they are talking with their bank, when in reality they're feeding information to an identity thief.
In order to curb the problem, new federal guidelines require banks to establish multiple authentication procedures. But Tubin says the banks are facing determined adversaries.
Mr. TUBIN: I think the thing that banks are starting to recognize is, you know, this isn't a one-time war, this is an ongoing battle. And as a gentleman from the FBI described it to me, the criminals try to come over our ten-foot wall with a 15-foot ladder. So we go out and build a 20-foot wall and that, you know, it's just a matter of time before they come back with a 25-foot ladder.
SPEER: And researchers say there is another problem for the banks - human nature. They say as customers grow increasingly familiar with online banking, they tend to let down their guard.
A recent study conducted by Harvard and MIT found even when participants were confronted with increasingly alarming clues a bank's Web site had been compromised, most logged on anyway. Banks say there are safeguards designed to prevent attacks on their online systems, which consumers and hackers can't see. However, the amount of money lost to online phishing attacks is on the rise.
There's also the fear that as big banks boost security on their Web sites, the fraudsters will simply move downstream, targeting smaller financial institutions with less elaborate security measures.
Jack Speer, NPR News, Washington.