OK, they've tried the banks where you may have an account. How about the ones where that is unlikely but somebody may want to pay you from there?
I got this today, purportedly from Danske Bank. OK, I have friends in Denmark, but there is no reason for any of them to be sending me money. Customers there? No. Instant alarm bells then.
Comme d'habitude as our cousins across the channel might say, I researched the domains of any suspicious emails. As usual, the domain was registered for a year, the minimum term, by an individual whose details couldn't be verified through publicly available sources. As usual again, GoDaddy was the registrar. They seem to have fallen in with a bad crowd.
In this case, the email address was the only sign of a domain name. Very often, such phishing attempts will have links in the body of the message too. Rolling over these, but not clicking them should reveal the target in your mail client's info panel. Make a note and check them too.