Of all the Internet risks, phishing has been the toughest to thwart because it’s often almost impossible for a consumer to tell a phony e-mail from a legitimate one. That’s why the Federal Trade Commission says you shouldn’t click on links in an unsolicited e-mail to access a financial account. Yet most respondents to our survey don’t follow that advice, partly because they’re tempted by offers like this one that Chase Online recently sent account holders. (In a recent spam study, security software maker McAfee found phishing attacks that used Chase’s name to be the most prevalent type worldwide; a Chase spokesperson told us that the e-mail shown was genuine.) The e-mail contained the recipient’s name and part of his account number, but a prominent link took us to an insecure page where we could log in by entering a user ID and password.

If this e-mail had been fake, it could have been used to steal the recipient’s credit-card number, savings account, or identity. Unless you’re absolutely sure of the source of such an e-mail, access your account only on your own directly through a browser or call the company at a phone number you’ve verified.