Yep
Took me a while to see what the difference on the MyBank example was, so I suppose there's a decent risk of being caught out. That said, it would require going against the "never click on a link in a bank (or any site requiring login details) email" for most to be sucked in.
Biting the hand that feeds IT
