The real dangers in online identity theft typically result from two scams:
Fraudulent bulk e-mail messages guide naïve users to legitimate-looking but fake websites—where they are prompted to reveal personal information such as account numbers or passwords. Phishing attempts are such dead-on mimics—hard for even Internet security experts to detect—that scrutinizing the Web address itself may be the best way to spot them. Most banks can offer customers additional information on how to avoid phishing.
The domain name server is tampered with to reroute legitimate website traffic to a bogus site. (You have no clue you've arrived at a sham site because its URL appears to be correct in the Web address field.) Pharming scams are more difficult to detect. One clue is to look for valid certificates of authority, such as a locked padlock icon or the VeriSign indicator that matches the site's name.
How to Protect Yourself
Assume that most e-mails requesting sensitive information are bogus; the keepers of your credit-card and bank-account numbers never request e-mail "updates" of your customer information. If they do, they'll provide a phone number that can be easily cross-checked.
Even if such a number is provided, look up the company's number independently, then call it yourself. "Verification" numbers given by phishers and pharmers will simply be answered by a party to the scheme. Except for a few isolated incidences, such as FAFSA forms to apply for student aid, it's the rare government agency that will ask you to supply your Social Security number via e-mail. If you receive an e-mail that requests your SSN and claims to originate inside a government agency, don't respond until you have called that agency directly and received both verbal and written confirmation that the e-mail is authentic.