The criminal mind knows no bounds. How else do you explain the clever nefariousness of phishing attacks?

In a phishing attack, you’re sent what appears to be legitimate email from a bank, eBay, PayPal, or some other financial Web site. The message tells you that the site needs to confirm account information, or warns that your account has been hacked, and needs you to help keep it safe.

If you, responsible citizen that you are, click the provided link to clear up the supposed problem, you wind up on what looks like the bank/eBay/PayPal Web site. But it’s a fake, carefully designed to look like the real thing; it’s run by a scammer. If you type in your password and login information, as requested, the next thing you know, you’re getting credit-card bills for $10,000 charges at high-rolling Las Vegas hotels.

The fake sites look so much like the real ones that it can be extremely difficult to tell them apart. (That’s can be; on some of the phishing sites, spelling mistakes a fourth grader wouldn’t make are a clear giveaway.) To make the site seem more realistic, the scam artist often includes legitimate links alongside phony ones. But if you click the login link, you’re in trouble.

Internet Explorer 7’s new phishing filter protects you from these scams. You don’t need to do anything to turn it on; it’s always running.

One day, though, when you least expect it, you’ll be on your way to visit some Web site—and Internet Explorer will stop you in your tracks with a pop-up ...