Check out this doctored email:
It's a standard notice that your credit line was increased and that all things are good. By replacing the right text with a credit card company (Chase, Discover, etc), You get an email that looks legit. It probably would for me if it seemed to come from a valid location.
The part that says "...for account number ending with nnnn", just about any number would be fine, because I am not too sure what my card number is anymore. After all, I use a password tool that can populate forms with credit card information automatically, and my statements are all on line (and I rarely look at them).
I don't think my habits are unique. On a bell curve, I probably fall right in the middle.
Which means, innocent-looking text in the email--perhaps made bold or colorful--might lead me to a click-through with text like:
You can view our fraud policies by visiting our email security page.
And make sure that "email security page" contains a link.
Better yet, one might add this:
If this email was sent in error, report the issue to our Customer Service department.
And make sure that "Customer Service" contains a link.
But, those links may not work so well, especially if the link preview box in the browser says something like "http://cdfgorzinczy.ru/woeikd". So, a really devious mind would own their own servers and have the links point to something like "https://creditcardcompany.com:9019/service".
Now, that looks totally official and it would fool the few who think they know a phishing scam when they see one, but aren't aware enough to really examine the email and run a search for "scam bla bla...".
Just wait until someone in Nigeria figures this out and spends the time and money to set something like this up.
