Legitmate sites are copied for "phishing" scams
Here is an example of a site that has been spoofed to look like Bank of America Military Banking. An official looking email informs you that your account may have been accessed by an unofficial third party and it is urgent you click on the URL provided to confirm/update/verify your account data. No credit card company will ever ask you to verify your credit card number and expiration date in this manner. They also will never ask you for your PIN. If you give this information away, kiss your fortunes goodbye! Even if a scam artist sends out 10,000 phishing attempts and only 2 people fall for it, that is still a lucrative scam.