One of the major issues with e-mail is that complexity is hidden from the end user. You can create a link like this

<a href="URL">NAME</a>
<a href="http://evilpage_with_nasty_things_on_it.com/infect">Click here to reactivate your bank account using secure connection!</a>

What the user traditionally will see is the text only. The same goes for sender, a field that can easily be spoofed (faked). So, a few days ago I get a mail from security@skandiabanken.no (a bank) originating from a peer at my school using a @hig.no address. My school has an issue with their mail server policy so it's probably not this person behind it, but it looks kind of funny given that gmail actually displays the sender address. The next funny thing is that am greeted with "dear customer <e-mail>". Don't you feel special!

Translated to sound almost the same...

We have recently determined different computers connecting your bank account, and several mistakes as present before logging in. We need now to verify again Your information for account visa card. If not done within 48 hours, we forced will be to suspend your account for undetermined time, because this can be used a fraudulent way. Thank you for your understanding. For verifying your account online:

..click this link
http://skandiabanken.16287.ewhuj54.dyndns-work.com/ska2/SkbAuthentication/Otp/index.html?ID=<e-mail>

Wonderful, I'm so impressed :) The scary part is that people still get caught in these traps.