People might be (slowly) learning about the risk of phishing, but emails are not the only way fraudsters use to try and get the data they need. They can call you pretending to be your bank and ask you directly.
It's surprising - terrifying even - to know lots of people don't even hesitate to provide private data when someone calls them claiming to be someone from their bank and asking to check some data. Something as simple as "we've noticed some unusual activity and need you to confirm some data, but first please validate your identity by telling us your credit card number - oh, and the validation code on the back while you're at it..."
Just like on the emails, where the simple detail of an email starting with "dear customer" instead of using your real name should be enough for you to stop right there and delete it; in phone calls you'll need to be aware and extra cautious for any and all calls that start asking you for info. If that's the case, you better hang up and call the bank yourself, and confirm that they indeed tried to call you. It's better to waste a phone call than to risk having your credit card data (and more) at the hands of who-knows-who!
... And the same thing goes for those "support calls" claiming to be from Microsoft, asking you to give a technician remote access to your computer so they can "fix it and make sure you have no virus"! :)