I love the Toshiba laptop I bought last year. I keep just about everything related to work, school, and my finances on it. So when I received an e-mail from Toshiba warning that my model may have a data-threatening memory defect, I was anxious to find out whether my machine was affected. A link in the message took me to a Toshiba Web page, which promised to download a utility to my PC that would check for a defective memory module. All I had to do was click one button.

But just as I was about to click that button, a doubt bubbled up from the depths of my digital credulity. Could the whole thing be a scam? Was I about to download and install a Trojan horse, backdoor program, or worm? As it turned out, it wasn't a trick: Toshiba really did send out an e-mail containing an embedded link leading to an executable file download located at a long, complex Web address (see FIGURE 1). Trouble is, phishing exploits, browser hijackers, and other online scams often hook their victims by using similar-looking e-mail messages.

Fortunately, you can learn to spot these e-mail cons by using a handful of investigative techniques and a boatload of common sense. I explained some basic stratagems back in last August's Internet Tips. This month I'll troll a little deeper and point out particular differences between a genuine message and a bogus one.

Don't Take the Bait

If you keep just this one thing in mind, you'll protect yourself from the majority of e-mail attacks: Assume any message could be malicious. It matters not who the sender appears to be, or whether the message's corporate logos, artwork, and embedded links look authentic. It's a trivial matter for scam artists to create fake messages that contain return addresses, images, and URLs lifted from the real company's own Web site.

Next, use your newfound paranoia to examine messages critically. If you don't have an account with Citibank, the company won't be sending you any account-related e-mail. But even messages that appear to come from firms you have an account with may not be real. Remember, your new motto is Trust No One.

Before clicking a link or taking any action requested in a message, determine for certain that the message is genuine. Return addresses, embedded links, and images can deceive. Look for dire warnings and other classic con techniques, undoubtedly accompanied by a link to a bogus Web site where you'll be asked to enter personal information (see FIGURE 2).

Note the similarities between the two messages shown in Figure 2: Both are text-based, reasonably well written, and plausible (although the phishing message contains typos and poorly composed sentences with borderline illogic). Both also contain real addresses to each company's Web site (highlighted in blue by the e-mail program displaying them). The only difference is that the faux-Citibank message also has a link to a short-lived phishing site where the unsuspecting visitor is asked to enter personal information. Rather than providing a link to a specific page, genuine messages from companies that are savvy to phishing and other online fraud will generally instruct you to visit or log in to the company's main Web site.

Another clue: The phishing message may be delivered to an e-mail address that you don't use with that company or institution. Note that I received the phishing message at a widely publicized (and indexed) address (nettips@pcworld.com); the genuine PayPal message came to my personal address, which I had previously verified with PayPal. If you get a message at an address you never registered with the company, it's fake.

Know Your Links

Intuition and a suspicious nature are a good start, but to separate real messages from bogus ones, you also need to decipher their Web addresses. In the two text-based messages above, all addresses are plain text, so what you click is what you get. Clicking "https://www.paypal.com" takes you to the real PayPal Web site. But clicking "http://218.45.31.164/signin/citifi/scripts/login2/index.html" doesn't lead to a Citibank Web site.

One clue is the string of numbers following the URL prefix "http://". Every Web site resides at a specific Internet Protocol (IP) address, so, for example, you can get to the PCWorld.com site by typing 65.220.224.30 in your browser's address bar instead of "www.pcworld.com". However, "218.45.31.164" doesn't lead to the Citibank Web site, even though the rest of the address looks like other links you may routinely click. The only way you can be sure to reach the real Citibank site is to type the domain-name-based URL www.citibank.com into your browser's address window manually. (And once you do, be sure to click the Consumer Alert link that describes these fraudulent e-mail messages.) If you're not sure where an IP address leads, don't click it.

Substituting a numeric IP address for a domain name in a URL isn't the only way a malicious message will try to trick you. The address "www.citibank.com" is the real deal, but "www.citibank.phishing.com" could lead anywhere. Every domain name ends with a top-level domain (TLD), like .com, .org, .edu, or a country-specific TLD such as .cn (China), .uk (United Kingdom), or .ru (Russia). The word just to the left of this TLD, together with the TLD portion, spells out the actual domain name: "citibank.com", for example, is all it takes to get to Citibank's site. When a phisher modifies a domain name slightly, or inserts a word to the left of the TLD, the name changes. Phishers hope that you won't know or notice the difference between "pcworld.com" and "pcworld-gotcha.com" or "pcworld.phishing.com."

E-mail attacks can also use the Web format itself to conceal the true destination of links. If a message is composed using HTML, the highlighted link text may not be the same as the actual embedded link. This was true of the e-mail I received from Toshiba and was one reason I became suspicious of its origin. Most e-mail programs display an embedded link's underlying URL in the bottom status bar or in a pop-up window when you hover the mouse pointer over it.

The Safe Way to a Site

I needed to find out whether the message was genuine; if it was, I would have to test my beloved laptop for a faulty memory module. First I entered a likely Toshiba site URL--"toshiba.com"--into my browser's address bar; this move transported me to a global Toshiba site. (See this month's "Privacy Watch" for an even safer approach.) After rummaging around awhile, I finally stumbled upon a Web page describing the same issues noted in the Toshiba e-mail, and using the same URLs. Voilà! I had my confirmation--the Toshiba e-mail was truly legitimate. But I still never clicked the message's embedded link, going instead through the link on the company's Web site. You can never be too careful.

Send your questions and tips to nettips@spanbauer.com. We pay $50 for published items. Go to find.pcworld.com/31523 for more Internet Tips. Scott Spanbauer is a contributing editor for PC World.