Although most companies will not ask for personal information via email, these phishing schemes make the user believe they are on a legitimate website, where the user feels it’s legitimate. I’ve taken the approach when I can’t be certain if the email is legitimate I just don’t respond at all, but will go to the website directly, not through an email link, to see if I see the same request for information after I’ve logged into my account.