I received my very first phish email. Here's how it went (and I had to retype this, because the text was actually an image):
During our regular accounts verification, it has come to our attention that your account details might be out of date or incomplete. This irregularity must be fixed by logging on to your * [I'm not naming the financial institution] Online Access account. This procedure is performed one time only and it does not require further actions on the customer side. After the account has been confirmed by logging in, your regular daily actions on * website can be continued. Follow the link below to login:
[realistic looking URL]
In our efforts to offer a competitive service and maintain a reliable database server, we are performing a regular monthly update on every account enrolled with us.
This is an automated message , no reply or confirmation is required on the customer side.
© FI. Use of the information contained on this page is governed by Australian law.
The design of the email was totally convincing - it could have been written from the FI's style guide. For a half a second I thought about going along with it, after all I have changed my address and have been meaning to tell them about this for some time. Then I remembered the golden rule against phishing: financial institutions never send these emails to their customers.
I rang them and they confirmed that they hadn't sent it. So I forwarded the email to their security section and reported the email to Google as well (Gmail has a report phishing option).
Just last night I had been reading about spear-phishing, where particular individuals are targetted because of the wealth or information which they possess. I'm doubting that spear-phishers would ever go after me, which is just as well, because regular phishing is annoying enough.