How to not get phished

Like death and taxes, online scams are inevitable. Among the most widely known flimflams is phishing, in which perpetrators try to steal your private information, such as online-account logins and personal financial data, via fake e-mails, websites, and even phone texts.

A typical phishing solicitation appears to be from a company or service you trust and possibly already do business with, including a bank, a payment service such as PayPal, or an agency such as the IRS.

But a number of telltale signs can help you identify phishing cons. Read on for tips on staying safe and protecting your information. And go to our Online Security Guide for more advice.

Here are some ways you can vet an e-mail that makes you suspicious.

• Look for grammar and spelling oddities and errors.
• Check the addresses—are they legitimate, or a little off?
• Hover over links within the e-mail to see the real URLs.
• Don't click on any link in the e-mail; type the given URLs into your browser.
• If you're unsure of a site, try signing in with the wrong password first.

Below are some real-life examples of phish e-mails as well as the warning signs we spotted in each.

Phish warning signs:

• Bad grammar: "package you have sent on the 27th" and "for each day of keeping."
• Sentence fragment: "Because the recipient's address is erroneous."
• Hovering on button shows a bogus website.

Phish warning signs:

• Multiple addressees for a personal message.
• Hovering on links show a bogus website.

Phish warning signs:

• Odd phrasing: "Thank you for your anticipated cooperation."
• Link reads "clickhere" instead of "click here."
• Hovering on the link shows a bogus site.

Phish warning signs:

• Multiple addressees on a personal message.
• Odd paragraph spacing.
• Hovering on the link shows a bogus site.

Phish warning signs:

• Spelling errors: "dicount" in subject and "attachement" in body.
• Odd sentence structure: "be in a hurry this weekend special is due in 2 days!"
• Hovering on links shows a bogus site.

Phish warning signs:

• The request to enable CSS (cross-site scripting) is unusual, and complying reduces your security.
• Hovering on links shows a bogus site.
• Banks do not usually embed links; they ask customers to type in the bank's Web address themselves.

Fake-antivirus attacks are the biggest security trap when you're using a browser. In fact, the FTC recently targeted this type of scam (read FTC cracks down on major tech support scams conning consumers). Here's what can happen.

• The attacker pops up a box like the one above, telling you your PC is infected.
• You're convinced to click a "scan" button to "clean up" your PC.
• This actually installs an exploit that causes problems, such as hiding files, desktop items, documents, and pictures.
• The attacker then asks for a fee to fix the damage it "finds."

Fake AV can be cleaned up without paying a fee to the hacker, but it can be a tricky, multistep process. To avoid the fake-AV trap, learn the messages your own security software gives. And always assume a pop-up warning is bogus, until you check it thoroughly.