If you have an account with Amazon.com -- and millions of consumers do -- be on the lookout for new and evolving phishing scams aimed at stealing your account username and password.

Identity thieves have launched a new scheme in recent weeks, allowing them to gain access to victims' accounts and order as much merchandise as they want. If the victims keep a credit card on file with Amazon, those illegal purchases can be billed to the victims.

The scam takes many forms but in one recent batch of spam emails, the subject line says "Verify Your New Email Address." Since most targets haven't changed their email address, naturally they are concerned enough to open and read the email.

The message directs the recipients to click on a link that takes them to what they believe to be a page on Amazon.com's site, but in reality is a page controlled by the scammers. They are directed to log in to their account and, if they do, the scammer records their user name and password.

Amazon.com is increasingly a popular vehicles for scammers and identity thieves because so many people all over the world have accounts. In another version of the scam, victims receive emails, made to look like they are from Amazon.com, with the subject line "Thank You For Your Order." It's objective is the same -- to steal your log in information.

"From time to time, you might receive e-mails that look like they come from Amazon.com, but they are, in fact, falsified," Amazon.com warns on its website. "Often these e-mails direct you to a Web site that looks similar to the Amazon.com Web site, where you might be asked to provide account information such as your e-mail address and password combination. Unfortunately, these false Web sites can steal your sensitive information; later, this information may be used to commit fraud."

The company says the schemes can not only steal account log-in information, but download dangerous virus and malware programs.

Dead giveaways

Amazon.com says it will never ask you for the following information in an e-mail communication:

• Your Social Security number or tax identification number

• Your credit card number, PIN number, or credit card security code (including "updates" to any of the above)

• Your mother's maiden name

• Your Amazon.com password

Amazon.com said it will not ask you to verify or confirm your Amazon.com account information by clicking on a link from an e-mail. It also said it does not send order confirmations or other unsolicited requests that require you to open attachments, nor do they permit their merchants to do so.

"We recommend that you do not open any e-mail attachments from suspicious or unknown sources," the company warns.

Also, be on the lookout for poor grammar or typographical errors. Some phishing e-mails are translated from other languages or are sent without being proofread, and as a result, contain bad grammar or typographical errors.

Take a closer look

Still not sure the email is from Amazon.com? Then check the return address.

While phishers often send forged e-mail to make it look like it came from Amazon.com, you can sometimes determine whether it's authentic by checking the return address. If the "from" line of the e-mail looks like "amazon-security@hotmail.com" or "amazon-fraud@msn.com," or contains the name of another Internet service provider, you can be sure it is a fraudulent e-mail.

Finally, check the Web site address. Genuine Amazon.com web sites are always hosted on the "amazon.com" domain--"http://www.amazon.com/" (or "https://www.amazon.com/.) Sometimes the link included in spoofed e-mails looks like a genuine Amazon.com address. You can check where it actually points to by hovering your mouse over the link -- the actual Web site where it points to will be shown in the status bar at the bottom of your browser window or as a pop-up.

"We never use a web address such as "http://security-amazon.com/" or an IP address followed by directories such as "http://123.456.789.123/amazon.com/," the company said.