For those of us without the luxury of their own domain, or who are worried that someone might be able to easily guess their email@example.com addressing scheme, a few e-mail masquerading services are available. My favorite is Sneakemail.com, which lets you create an unlimited number of e-mail aliases for a modest $2 per month. This way, you can use one unique e-mail per Website, and all the messages get forwarded to your "real" mailbox. The service even handles replies, so that the Website never has your real address.
If you receive a password reset notification directly to your work e-mail instead of your unique address for that site, you know it is at best spam and at worst a phishing attempt. As a nice side effect, you'll be able to catch unscrupulous Websites that share your information with third parties. I once received several unsolicited offers from a company to the e-mail address that I had provided only to a particular airline's frequent flyer club. Needless to say, I contacted the club's privacy department, provided logs, and promptly canceled that account.
Don't Click on Anything in E-Mail
As a rule, I don't click on links within e-mail, ever. Not even from known senders. Well-formatted HTML e-mails should have a URL just below the big "Click here" button, usually in a section that says "if your e-mail program doesn't allow links, copy and paste the following into your browser." If you still can't find the URL, switch your mail reader to display plain-text (in Gmail, you can use the "Show original" option from the reply menu) and find it there.
If I really want to click through, I will highlight the URL and paste it first into the Google search bar of my Web browser. If nothing else, this removes any HTML or rich-text formatting that my clipboard picked up and leaves me with a pristine plain-text URL. This strips away most of the obfuscation tricks such as www.yahoo.com.com.attacker.evil.ru, where you might not realize that the DNS (domain name server) will read a URL from right to left (meaning you are visiting a site at evil.ru) and humans will read the URL from left-to-right (perhaps thinking they are visiting a sub-section of yahoo.com).
Furthermore, submitting the URL to a search engine also protects me from homograph attacks where someone could send a link to www.paypa1.com (the numeral 1 instead of lowercase "L"). It would be obvious from the first few links that something was not quite right, though Internationalized Domain Names can add complications. Total cost to allow Google to run a sanity check on the link and remove rich-text formatting: zero.
Sign up for Computerworld eNewsletters.