Never, EVER, give personal information like SSN's, bank acct numbers, passwords, etc. to another party unless YOU initiated the contact AND you know the institution you're dealing with. If people followed that advice there would be far fewer phishing scams in this world.
If you're not sure if the email is a scam or not, most browsers will display the *real* URL in the bar at the bottom of the window/screen when the mouse is held over the URL given in the email. And if it *is* a scam, or even if you're just not sure it's legit, send it to abuse@$company or whatever else sort of email addy the real company has set up for that sort of thing. They'll go after the scammers and it won't be pretty.