Not to long ago, Ela Iwaszkiewicz wrote a blog-post titled "Protect yourself from scams by knowing who really emailed you" where she tells the story about how someone tried scam here to gain access to her bank account. Ela obviously called the bluff, and the article is about how she did this using Gmail's built-in features. The article is very Gmail-centric, but the same concept can be used in most other email clients.

In Apple's Mail.app for instance, you can view the raw message source by going to View -> Message -> Raw Source (or by pressing ⌘⌥U).

Once in the 'Raw Source' mode, you can follow along and see that the email was actually sent from whom it claims to be. That said, this is somewhat tricky for the average user, and Gmail's web interface makes this a lot easier.

The bottom line is that no serious business would ever ask you for your username or password, or any kind of sensitive information over email (or at all). You should also make sure you are running an updated web browser. Recent versions of Google Chrome and Firefox comes with great tools to helping you to stay safe.