"hoodwinked by malware-carrying emails purporting to be from their banks"
And to think that my bank has a declaration on its home page saying that they will never ask you for your banking details either by phone or by mail. It must be the only one, I guess.
Not to mention the fact that the body of the mail may have been properly engineered to resemble an official mail, but I'm pretty sure that a quick check of the replyTo address would/should have raised some red flags.
There is a disturbingly high need for mail training these days.