Be aware that it is extremely easy for someone to forge an email message to make it appear as if the message has been sent by your bank, a software vendor (e.g., Microsoft), or another entity with whom you do business. If a message requests that you send your password or other private information, or asks that you run or install an attached file, then it is very likely that the message is not legitimate. When in doubt, just delete the message.
[Give specific examples:
If a message is signed, you will see a pen to the right of the From address, and then you can trust the "from" address. [Link to a document that describes the difference between the kind of e-mail signatures corporations use and PGP / Enigmail signatures.] But if the e-mail is asking you to run an attached program, you should still be suspicious that the sender's computer might be infected with a virus.
Never fill out a form in an e-mail, because you cannot tell what web site the form will be submitted to.
Be cautious when clicking on links sent to you in email messages. If you do click on such a link, double-check the name of the site as shown in the location bar of the browser. Don't enter any personal information into forms displayed at such a site, and if you have any concerns whatsoever about your security, just close the browser window. Do not rely solely on the address displayed in the status bar of your e-mail program (split links, user:pass, javascript or maybe even CSS trickery); check the address displayed in the address bar of your browser after opening the message.
When you open an attachment, your e-mail client may say something like "be sure you trust the person who sent this file". Ignore this warning; its use of the word "trust" is dangerously inaccurate. Here's what you should do instead: