And your bank makes it hard for you! Chase Bank sent me a (legitimate!) email this week saying "We've just intercepted a suspicious transaction and tried reaching you by phone but we couldn't. Please click here if you authorized it or click here if you didn't." And then the link threw up a security certificate error! If they hadn't had my name, four digits of my account number, and a number exactly matching the number Google had just emailed me to say "We tried charging you $523.25 for your AdWords account but it got denied by your bank" 2 hours earlier, I would have sworn it was the world's best phishing attempt.