worry: You aren't alone When you read about all the devious schemes I describe in this chapter, it's easy to believe that it's you and your computer against a sea of brilliant hackers. The truth is that in the fight against hackers, you have some very powerful allies. The world's largest corporations - and not just those in the computer industry-have some very good reasons to win the war. First of all, these schemes cost some companies tens of millions of dollars every year. When a thief splurges with your credit card, for example, your bank typically foots the bill. And that's just the direct monetary cost What about the harm done to a company's brand and reputation when a phisher posing as a company official steals your password? Many companies have set up e-mail addresses or phone numbers you can use to report hacker solicitations. For example, if you receive an e-mail that appears to be from eBay and directs you to a Web site that asks for your password, forward it to spoof@ebay.com. Table 15-1 lists the companies that are most often targeted by phishers, as well as the e-mail address to use when you receive a phishing scam. It's important (and comforting) to realize that companies like eBay aren't kidding around. If the company catches a hacker, it doesn't send him a warning notice; it sends him to jail, in collaboration with local authorities.   Know Where you are The links in phishing e-mails and instant messages rarely display an address such as http://www.ebay.com.Rather, they generally offer enticing text like Billing Information, or simply eBay. That's because the Web site address is the one fundamental aspect of a legitimate site that phishers cannot copy. There is exactly one http://www.ebay.com in the world, and it's the real eBay. The hope, then, is that when you click the link and Firefox opens it automatically, you'll forget to check the Location Bar. So that's an important step: REMEMBER Always verify that you're really at the Web site you think you're at by checking the address in the Location Bar. Unfortunately, protecting yourself isn't that simple. As you can tell by now, phishers are nothing if not persistent. They've devised a number of clever ways to disguise or obfuscate the addresses of their fake replicas so that even people who know to check are fooled! Here are some indicators to watch out for: Most legitimate Web site addresses don't contain the at sign (@). This symbol has special meaning when contained within a Web address: The phrase before it is considered to be login information, and the phrase after it is interpreted as the Web site to which you wish to login. For example, an address of ebay.com@blakeross.com, is interpreted as user http://www.ebay.com logging in to the Web site http://blakeross.com and will actually navigate to http://blakeross.com, even though it might appear to point to eBay at first glance. If all that didn't make much sense, that's okay - it's a technical detail you don't need to worry about. When you visit these kinds of addresses, Firefox automatically asks you to confirm the decision, as shown in Figure 15-4. (I use my Web site for demo purposes.) Figure 15-4: Firefox asks you to confirm going to suspicious Web sites. Practically no legitimate Web sites use this kind of addressing scheme, so if you ever encounter a window like this, the right answer is almost certainly No.