1. Be skeptical.  When receiving an email claiming to be from a financial source, immediately assume it could be a scam.  This puts you on alert to notice something unusual.
2. Use a tool to filter your emails.  Since I have my email filtered through Google, it cuts spam and phishing scams from my inbox dramatically.  However, you should never rely on Google or another tool entirely.
3. Create an email address for your financial institutions.  Use it only with your financial institutions.  Free email addresses are easy to get.  Don’t use it anywhere else.  The fewer places where your address is used, your risk of being exposed to a scammer is diminished.  (Rule #1 still applies.)  If you get an email claiming to be from a bank on your personal or work address, you immediately know it’s a phishing scam.  Forward it to a phishing report address right away, like spoof@ebay.com or spoof@paypal.com.
4. Notice punctuation and grammar.  Legit emails will not make obvious errors.
5. Check the sender of the email.  Why would eBay send an email through an address like secure-ebay.com?  Why wouldn’t they send it through ebay.com?
6. Hover your mouse over all email links.  If you’re in an web client, the linked address will appear in a tooltip.  If you’re in a mail client, the linked address will usually be in the lower frame of your program window.  The linked address should match the text in the email.
7. Even if the From address appears to match, it could be a fake.  With domain spoofing, you can fake a different address.  Open the original source headers.  How to do this varies depending on the email client you use, but generally it is under a View->Headers menu.  Several lines of information will appear – don’t worry about all of them.  What you are looking for is whether the return path matches the domain you expect.  If you see the from address as admin@ebay.com and the return path as scammy@aol.com, you have a spoofed address. Note even if this matches, it still may not be authentic.  This just tips you off to the more obvious attempts.
8. Do not click links that claim your account has been closed, or you need to verify information.  Call your bank.  Check your account balance through the phone.  If you can still access your account info through the phone, your account is not closed.  Talk to a customer service representative if you want to be sure.
9. If in doubt, send the email to the phishing report address for your institution.  For eBay, forward it to spoof@ebay.com.  They will respond back and let you know if it is authentic.

   I received an email once from PayPal asking me to verify a new security measure.  There were no links in the email directing me to PayPal, and no spoofed addresses.  It looked 100% legitimate.  There was nothing that tipped off warning bells.  However, I was not 100% sure.  Before I logged into PayPal, I forwarded it to spoof@paypal.com.  They responded back a couple hours later and verified it was from them.

10. Phishing happens through telephone too.  If someone calls you claiming to be your bank and starts asking you personal information, tell them you’re in the middle of something and you’ll call them back.  Ask for their employee number, department and extension.  If they refuse to give it to you, hang up.  Beware – they may try to bully and scare you by saying if you hang up, they’ll cancel your account.  Ask yourself why a legitimate phone call to verify your information wouldn’t let you call them back at a more convenient time?  If it’s legit, why would you want to do business with them if they threaten you?

    If they give you one, call the number listed on the back of your card or the website.  Do not call back the number on your caller id!  Ask the operator to connect you with the employee number you received.

Stay on alert, and be informed.  Protect your information.

How do you score on the Consumer Reports Phishing Test?

Update: Phishing scams are also hitting Facebook. Always remember to check the links!  Beware of Fake Facebook