I just got a quite clever phishing attack against WaMu customers. The "message body" is actually a GIF image, with some junk text attached in an attempt to get it past spam filters. The GIF is actually linked to the WaMu URL that the body text in the GIF claims you're going to ... but underneath the link, the whole GIF is imagemapped elsewhere, which won't be visible in the browser because the link masks it.
Bastards are getting sneakier.
For the curious, a gzipped text dump of the complete message can be found here.