But how can we be sure this is the real Free Republic? It could be a dirty imposter and the real Free Republic could be bound in duct tape and locked in a closet somewhere!
We can't, unless FR switches from HTTP to HTTPS.
But simulating FR would be a big job for a phisher. The average phisher is much more interested in arranging a wire transfer from your bank to Lagos or Semipalatinsk. That's why banks use HTTPS — your browser will complain that the SSL certificate the phisher is using doesn't match the bank's and will refuse to complete the connection unless you approve an exception. My bank goes even further. It shows me a secret picture every time I log in. A phisher might have every detail about my bank's web site down pat, but he still wouldn't know which picture to show me.
A simpler hack on FR, which requires the real FR to be running, would be to hack your DNS so that FR goes to the phisher's proxy server, which faithfully relays (and logs) all communication between you and the real FR, except when it doesn't.