Actually some of the advice from the real SunTrust people should be standard procedure in any case like this -- confirm by phone before you do anything else. Nearly any company you'll normally be dealing with should have either a local number or a toll-free one where you can speak to someone.
Probably the vast majority of these "phishing" (identity-theft) things, at least in my case, appear to come from companies that I've never dealt with, so it's pretty obvious to chuck them out without even opening them. I've never had accounts, for instance, with CitiBank or eBay, which are two of the more common ones making the rounds these days.