The first step in protecting yourself is to cock a sceptical eye at this stuff, regardless of how legitimate it looks. Next, look for spelling and grammatical errors. Some of this crud is composed in countries where English isn't spoken natively. If a message seems badly translated from another language, it probably was and isn't legitimate.
You can also hover your cursor over any links that appear in these messages. When you do, a small yellow window will appear that contains the real address that link directs to. On the surface it may read amazon.com, but when you hover your cursor over it you find that it directs you to the true address, which is youareasucker.net. Finally, before acting on any of these things, travel to the site that supposedly sent it (using links you enter in your browser, not ones contained in the message) and check your account. If you see a notice that confirms the information in the email--you need to update your credit card information, for example--then act on it. If you're still not sure, contact the company directly.
Open attachments: If you're not familiar with the sender, be very cautious about opening any attachments. Attached files from spammers are never what they claim to be. More often than not they're some kind of virus designed for Windows PCs so they have no effect on a Mac. Still, better safe than sorry.
Protect yourself via a challenge/response scheme: In the last decade someone came up with what seemed to be a brilliant idea: When people sign on for an account with our service, we'll ask them to create a list of people who they always want to hear from (a whitelist). Messages from these individuals will be delivered to the recipient with no problem. If, however, someone not on the list attempts to send that person a message, they'll be told that they have to visit a website, click a link, and enter a code to confirm that they are who they say they are. The intended recipient will then approve them so that they're not bothered with this rigmarole again.
Sounds great, right? It's not. To begin with, it shifts the responsibility for dealing with spam from the recipient to the sender. If I want to send you a message, somehow it's my job to make sure it gets through rather than you taking measures to deal with your spam problem. Rude.
And the result of this "Hey, you deal with my problem, buddy" scheme is that many people simply won't make the effort. Confronted with one of these "Please verify" messages, they'll delete the message they intended to send to you and vow to never bother again. Yes, you may see far less spam, but you'll also receive far less legitimate email because it won't be sent.
Sign up for CIO Asia eNewsletters.