How to know when something smells 'phishy'

Columnist Tom Regan's five tips for avoiding online cons.

August 15, 2007

It looked perfectly normal. I was preoccupied with another task, but noticed an e-mail that warned me of trouble in one of my online banking accounts. So I clicked on the link in the mail message and was taken to a site that looked exactly like my bank's site. Not thinking, I typed in my username. Then I happened to glance up at the URL (the Web address).

Right away I knew I'd made a mistake. I'll tell you why in a few paragraphs.

As the old New Yorker cartoon once said, on the Internet, nobody knows you're a dog – or if the particular site you're visiting happens to be a phishing scam. Phishers will go to any length to trick you into giving them usernames and passwords so they can access your credit cards or bank accounts. One of their favored methods is the "spoofed" website.

A "spoofed" website looks exactly like the site of whatever financial institution they are trying to use as bait. The scam normally usually works like this: You get an e-mail supposedly from your credit-card company saying that your payment is late, or that there is an error in your account, or that (sneaky devils!) someone has been trying to steal your account info and the bank needs to verify your login information.

Often the people phishing for your passwords are quite far away. Eastern Europe, Russia in particular, is a mecca for phishers.

So how can you tell if a website is authentic, when even smart Web columnists can fall into their clutches?

My first rule is, trust your gut. If something about an e-mail makes you suspicious – for instance, if you know your payment has gone through, or if the scam is about an account that you haven't used in a long time, such as PayPal (a frequent target of phishers) – then don't click on the link.

If you're really unsure, here's a neat little trick. Enter a phony username and password. If it's a real site, it will tell you that you've entered incorrect info. A phishing site will make it look as if you've logged in successfully.

The second rule is: Check the URL. Once I glanced up at the Web address in the example above, I noticed right away something was wrong.

For all the hocus-pocus phishers can do, they can't duplicate the exact URL of a credit card company or bank. So they might use numbers instead of letters (www.paypa1.com, using the numeral 1 instead of the letter "l"), misspell the company's name (www.citibenk.com), or put a symbol in front of the correct URL (www.$chase.com), or put the slash in the wrong place (www.yourbank.com:login&mode=secure/ instead of www.yourbank.com/).

All of these addresses are phony and will lead to phishing sites. In my case, as soon as I noticed my mistake, I immediately closed my browser window before I entered my password, went to the correct URL for my bank, and changed my username. I was fortunate to have noticed my mistake in time.

Beware of Web addresses that begin with https://. Normally "https" is the sign of a secure site. Sometimes these crooks use https to hide the real URL of the scam site. One easy way to check is to look at the bottom of the browser. If the little padlock is unlocked, it's a scam – the site is not secure. Or right-click on the page and look under "properties." That will show you the website's real address.

Third rule: Financial institutions will never send you an e-mail asking to "verify" your login information. Never.

These phishers don't necessarily stick to using websites. Sometimes phishing e-mails will ask you to call a number and give your information over the phone. Don't do it. No real financial institution will ever ask you to verify your username and password, but will ask for other clues that you have given them (mother's maiden name, day you got married, etc.).

Be very careful with pop-ups is rule No. 4. Often phishing sites include a pop-up that asks you to enter your account information. This is a sure sign of a scam. Close that pop-up and the browser. Get outta there!

Rule No. 5: Be wary of any e-mails addressed to "Dear Customer" and not to you personally.

There are other things you can do to protect yourself. Both Internet Explorer and Firefox browsers allow you to download plug-ins that will help your browser detect phishing sites. They aren't foolproof. When you click on the site, the browser will check it against a database of known phishing sites and alert you if necessary – but it's hard for the browser companies to keep up with the bad guys.

Often your financial institutions will provide a way for you to set up a series of passwords and other means of identification to protect your information. They can seem time-consuming, but it's much smarter to create these protocols than to risk the theft of your information. That way, even if the bad guys do get your username and password, they can't get into your account.

But you can't count on any of these above methods to be foolproof. While the Internet has made online banking and bill payment much easier., it has also made it easier for unscrupulous people to try to get your info. Be on your guard. Your own vigilance is your best protection.