Avoiding the hook

As phishing attacks get more dangerous, banks and other online businesses that have invested heavily in making customers comfortable with online commerce have more to lose. In addition to eating the losses, many companies are investing money and effort in reducing customers' vulnerability. Banks and credit-card issuers lost an estimated $1.2 billion to phishing last year, according to Gartner, a market-research firm in Stamford, Conn.

PayPal, for instance, has a dedicated "spoof team" that handles reports of bogus e-mails and works with ISPs to shut down fraudulent sites. (The average life of a spoofed Web site is about six days.) Because the sites usually go up before the e-mails go out, many companies have developed programs that search the Web for fake sites that bear their names, in hopes of shutting them down before they snag victims. In addition, PayPal monitors user accounts for extraordinary activity and will verify or stop unusually large transactions.

Longer term, authenticated e-mail may be a solution. Currently, the average computer user can't tell whether the "from" line in an e-mail is fake or real. But with an authentication system, your e-mail program would accept only Citibank e-mails that come from Citibank's own server. It may be a while, however, before major players in the online community can agree on a standard for authenticated e-mail.

Meanwhile, it's up to you to keep up your guard against e-mails that aim to delve into your financial accounts. "All the verities of computer hygiene are more important than ever," says Peter Cassidy, secretary general of the Anti-Phishing Working Group. That means having a firewall plus antivirus and anti-spyware programs running on your computer. (The popular programs include Norton Personal Firewall, McAfee Personal Firewall Plus and Zone Alarm, which will keep intruders from hijacking your computer; Norton AntiVirus and McAfee Virus Scan, which will keep your computer virus-free; and Spybot-S&D and Ad-Aware, which zap spyware.) In addition:

Ignore e-mails urgently requesting personal information. If PayPal really needs to update your expired credit-card number, for instance, you'll be able to take care of it the next time you make a transaction. "If you're suspicious, just delete it," says Sara Bettencourt, a spokeswoman for PayPal. "We'll get to you some other way."

Never go to an online site by clicking a link in an e-mail. Open your browser and type in the company's home-page address.

Be wary of e-mail offers that seem too good to be true, such as merchandise with unusually low prices and "free" items with small shipping fees. They, too, could be credit-card-number traps.

Change your passwords frequently so that they'll be out of date if it takes weeks or months for thieves to use your data or sell it to others.

Check your statements regularly and report fishy transactions right away. Theft from online accounts generally falls under Federal Reserve Regulation E, which says that financial institutions must limit your liability to $50 if you report a loss within two days of receiving your statement and to $500 if you report it within 60 days. In practice, most banks (as well as providers of electronic transfers, such as PayPal) reimburse customers in full when their accounts are raided in a phishing fraud.

If you've taken the bait, call the company that's been spoofed (your bank or ISP, for instance) and report the incident right away. If you're prompt, you can normally change your password or account number in time to stop unauthorized transactions.

--Research: Joan Goldwasser

MORE: Kiplinger.com | Your Money | Magazine

TOOLS:   E-Mail Article  |  Print Article  |  Reprint Article  |  Content Licensing & Partnerships

E-MAIL ALERTS: Keep up-to-date with the latest Kiplinger has to offer

SAVE, SHARE & DISCUSS:    |   |   |   |   |    

ADD HEADLINES: