The favorite tactic I'm seeing at the moment is requests to update my profile, usually from a site or company I don't have any connection to. I also still get the security alerts that aren't real. It's so easy to see through all of these, but I guess some people get taken in, or it wouldn't be so common.
I get those too, but some have been from ones with which I do have accounts, so you always have to double-check. But, typically, they're easy to see because the eMail address will be with either a suspicious looking domain name (like writersanctuum.com or writer-sanctum.com*) or be entirely different. Or, they will address you as "Valued Customer" or something generic when companies you have accounts with have your name on file. I received one the other day that listed "Account Ending XXXX" with the actual Xs not the last four digits of your account number. I suppose some people fall for that one but it's like why bother including "Account Ending" when you can't include the actual digits (because spammers don't have them)? Better to just leave it off, in my opinion.
But, on the other hand, there are a couple suppliers I have that will send eMail invoices or other account notices and actually open the message with "Dear Customer."
I have to always double-check those to make sure they are legitimate. But, it's like, ugh, don't do that!