I received a very sophisticated and slick one impersonating RBC Royal Bank yesterday.
For 'fun', I decided to actually try using it, on another computer, with completely fake information. Of course, the tipoff was the fact that it came from a host entitled "megastorm.xtardns.com", 70.86.90.18 in the SMTP headers, but it led me to this URL:
Deleted by moderator. Please do not link directly to the site. Use a picture which is safe.
-- another dead giveway, as obviously RBC's login-screen uses http
s, ie: SSL (Secure Sockets Layer) for customer transactions.
So I enter completely fake data, and remarkably, I get into something that looks incredibly like their website. The site starts asking me things such as verification questions, etc. At that point I quit, but quite frankly, I have yet to see a site that scared the bejezus out of me quite as much as that one.
I see RBC Corporate Security has arranged for the entire domain of rbcroyalbk.com to be wiped from the WHOIS database and the nameservers (DNS system) of the Internet, limiting potential damage. Kudos to them, but the industry really has got to become 100% serious about security on all levels, even if it involves spending big money on new IT projects and accelerating biometric verification procedures.