In Gmail, you can look at the message body in its "original" form, and see the trail of where it came from. Sometimes, curiosity leads me to do that. Gmail's spam and phishing filters look to be pretty good.

The simple rule is that your bank will not e-mail you a form to fill in, and certainly won't ask for passwords etc in one.

As others have said, any e-mail you weren't expecting, with an attachment, needs caution. Most competent anti-virus software catches them anyway.