I tell you, the amount of stupid in this world is beyond measure.
I got an email, from firstname.lastname@example.org. I do have an account with Worldpay, and when I want to sign in, I go to https://login.worldpay.com. And I give my username and password.
The email asks me to go to www.your-worldpay.com, and gives a link to there. And your-worldpay.com is NOT worldpay.com. So who does it belong to? I did a whois, and found out.
Registrant Name: Adam Oldfield
Registrant Organization: Force24 Ltd
Registrant Street: Indigo Blu, Office 2,
Registrant Street: 14 Crown Point Road
Registrant City: Leeds
Registrant State/Province: West yorkshire
Registrant Postal Code: LS10 1EL
Registrant Country: UK
Registrant Phone: +44.8452725990
Is this Worldpay? I don't know, but I have no reason to think that it is.
The email tells me that my invoice is ready, and it give my correct Merchant number.
So I called them (at the number I got from the real Worldpay web site), and told them about this. They assured me that it isn't a scam email, it really did come from them, although I don't know how they could verify that.
If it's a scam despite what they are saying, then this isn't their fault. But if it isn't a scam (which is what they said) and it really did come from Worldpay, then they have just increased the amount of stupid.
We try to educate users, we try to explain to them why it's a bad idea to click on a link that you don't recognise. And organisations like Worldpay sabotage this attempt at education by offering people a link to click on which is not one that they would expect.
I've made a formal complaint to them, at email@example.com.