Last year I only had 3 email attempts to fool me into giving up my passwords.
These were sent to my main email address but each one was considered non-authentic.
gmail, yesterday asked for my details for any unused accounts,
no "normal" info, like warnings and what you can disregard, etc...
paypal, 6 weeks ago ask for confirmation of my account details, as they were clearing unused accounts,
and virtualcard, a couple of months before that.
I've not responded to any of these emails, looking very official (without doing a live "a and b comparison") but just from reading them, there was not enough information to convince me they were official.
I might have saved something there, not sure.