If you've heard of the Smashing Security podcast, you know Graham Cluley.  He recently posted this link, describing how he tried to address a fake email he received from a travel website.

Apparently, Cluley was never previously their customer, but within hours of becoming a customer and placing an order, he received what he thought was a legitimate message from the travel company.  There was an air of validity because of his recent order, and he almost acted on the message's demands.

He reached out to the company, and I'm sure they haven't responded yet because they're chasing down what went wrong.  Or, let's hope that's what's happening.