Usually phishing starts with an email or an instant message, appearing to be from the genuine entity, asking you to furnish important details or to ‘verify' your account with the genuine entity to supposedly avoid a “disciplinary action” or on an “unforeseeable emergency.” The email will also have a link that points to a website copy of the genuine party's website.
On visiting this website, you will be amazed to find its thorough resemblance to the genuine entity's website; unsuspecting individuals may be fooled to believe that it is the original website. Unsuspecting users, thus, may provide the original user name and password in this website and make themselves victims of the phishing attack (and may still remain unsuspecting). Once given, the phishing entity has a direct door opened to your personal information and your identity. It can do anything with this information.
Online payment systems like PayPal, eBay, and online banking entities like Bank of America, Citibank are very common focus of the phishing attackers.
If you receive an email in your inbox, with subject line asking you to “confirm your email address,” “verify your login,” “log in to prevent disqualification,” etc., you should be wary. The spam detector of your email address may not catch these crooks all the time. If the genuine financial entity you depend on doesn't usually ask your password or ask you to confirm any personal information, then the email you received must be from fraudulent entity.
You should check the email address it comes from (not the header information alone, the exact email address). Latest phishing mails on PayPal actually come from an email address, support@paypal.com while the genuine PayPal email address may be different (like support@intl.paypal.com). So, you cannot rely even on the email addresses of the senders. However, so many attackers use public email addresses provided by Yahoo, GMail etc. The header may tell you something such as “Bank of America Online Banking System,” while the sender email address would be “bankspoof@yahoo.tk.” Smart people quickly see this anomaly.
Always make sure, when you log in to your financial institution website, that you open a new browser window, type in the address on the address bar, and log in. Never click on any links you get on your emails.
Spot Phishing
Most or all of the professional organizations do not ask for your private and personal information over an email. They won't ask you to “verify email” or “login to confirm” over an email anyway. So, any such mail you receive is phishing email and report it right away (see below to know how).
Look for promotional or intimidating diction in the emails you receive. If it tells you something like “We have no other means but to close down your account unless you verify now,” then remember it is most likely a phishing email.
Another type of phishing attack offers you large sums of money, telling you a short fiction about a bygone legacy (from which you get paid a percentage), asking your help to set records straight. On proceeding with the correspondence, you will be asked to submit bank account information, or even send small sums of money to enable successful funds transfer.
If the email contains image instead of text (to find out, try selecting the text on the email), then discern that it is an attempt to elude the spam filter of your email software.
Most of the phishing emails, owing to be from uneducated lot trying for quick bucks, may contain loads of grammatical and punctuation errors interspersed in awkward wording and spelling mistakes. Also, they would lack that quality and politeness of a polished professional email.
Another giveaway is the presence of attachments. Phishing emails may contain them while genuine entities never send attachments over emails. Make sure you don't open any of the attachments received. They can be such potential threats as adwares, malwares, keyloggers, etc.
If you don't find your name in the greeting in the mail, then it may be a phishing mail. Generic greetings like “Dear sir,” “Dear user,” “Dear subscriber,” etc., instead of “Dear Tom,” “Dear Sarah,” etc., clearly tells you that the sender knows not who you are. So, suspect such mails.
Check out the link provided. A link text of the URL of the genuine entity itself, like “Bank of America,” with underlying original hyperlink of the phishing website, may evade your eyes. So, always check which address it actually links to. Don't open the hyperlink unless you are sure. Deceptive URLs can take many forms. Some URLs will be subdomains with the subdomain name that of the genuine organization. Like “Paypal Spoof” Be wary of these addresses.
Fight Phishing
Legally fighting phishing is very easy for you. A way to report phishing attack is through US-CERT, the United States Computer Emergency Readiness Team. Report phishing to US-CERT through their email address, phishing-report (at) us-cert.gov. Report phishing with the Antiphishing Organization email, reportphishing (at) antiphishing.org. Spams may be forwarded to spam (at) uce.gov (Federal Trade Commission, FTC email address). Also, alert the Internet Crime Complaint Center of FBI (ic3.gov).
Most of the online entities have their own designated email addresses for you to report phishing. For instance, PayPal has spoof (at) paypal.com, eBay has spoof (at) ebay.com.
Conclusion
To be on the safe side, always make sure you have a current antivirus and firewall application in place. Do not give your personal information through any links you receive in emails. Email is not a safe medium of communication at all; do not communicate with anybody you don't know. Make sure you forward any spam or spoof you receive to the above-said entities. These simple steps will keep you secure in the cyberspace.