If for some reason I think that something might possibly conceivably maybe perhaps be legitimate I look at the header. Then I run the IP address(es) again an ARIN "whois." I didn't know, for instance, that Citibank ran a fraud office out of Dar-es-Salaam or that the IRS had an office in an industrial park outside of Cairo, Egypt.

And viewing the "page source" is also interesting, especially when you find out that "clicking here" won't take you to Key Bank's website at all!

Yeah, mine's a little more technical than what Amos posted, but it all boils down to "If it sounds to good to be true it probably is" and, from the other side's point of view, "Never give a sucker an even break."