The easiest way to detect a phishy page is to look at the page address. A legitimate page will have the correct domain—such as aol.com or ebay.com—while a spoofed page will have only something similar—such as aol.whatever.com or blah.com/ebay. However, some phishers employ tricks such as domain spoofing, replacing the lowercase letter "L" with the number "1" or the uppercase letter "O" with the number "0." This is also called homograph spoofing or a look-alike attack. A similar ploy is IDN spoofing, which uses domain name ambiguities in the user's chosen browser language. ("IDN" is short for "international domain names," which refers to domain names written in languages other than English.)

Another good way to detect phishing e-mail is to examine the address of the link that you're supposed to click on. Again, this address will point to an obviously nonlegitimate site. Or will it? Recent phishing attempts have used a technique called DNS cache poisoning, a Domain Name System exploit where a "poisoned" DNS server is configured to redirect surfers from a legitimate site to the scammer's site. Because the switch occurs somewhere in the network between the user's computer and the Internet at large, it can be very hard to spot.

As people become more aware of phishing, they're less likely to fall for obvious ploys such as requests for passwords and credit card data. So the world's dot con artists are revising their schemes to compensate. The latest tool in their nefarious arsenal is spear phishing, which refers to phishing that is targeted at a specific person. This usually consists of sending an e-mail message that has a subject line, body text, and return address that make it appear as though it were sent by someone the recipient knows. For example, you might get a message that appears to come from the head of your IT department, requesting that you visit a particular site to update your password.

Another reason people are less likely to fall for a phishing scam is that big corporations are doing a better job of warning their customers and teaching them how to spot fraudulent requests. Scammers are hip to this, so they're trying a new tactic: targeting smaller companies that might not do as good a job warning their customers. These smaller-scale attacks are called puddle phishing. Phishers are also breaking out of the "fake e-mail and Web site" paradigm and turning to fraudulent phone calls that attempt to con people out of sensitive data such as their credit card's three- or four-digit security number. This is called phone phishing.

So Microsoft is right to include antiphishing technology in Internet Explorer 7, because clearly we need all the help we can get. Maybe the folks there will really get into the spirit of things and hack the company's name, too. Microsopht, perhaps?