Even money says the "label" is a Trojan.
Seems like way too much trouble, making a Trojan email, just to infect someone. Weren't the first viruses sent via email?
Don't most folks have spam/virus filters? Pretty weak scheme. I'm disappointed.
Quite to the contrary, this technique - which is a variant on hacking the user - cleanly circumvents all of the security software on the users machine by peaking their curiosity to the point where they simply just shut it off.
You see the modern operating systems and software have become secure enough that direct attacks are too costly (in time) to perform in bulk. You can't just attach a naughty file and have it guarantee-ably go boom when it hits someone's inbox ... So other methods have to be used. These methods focus on the weakest link in the chain, and the weakest link is the user.
Banks, mortgage companies, tax records, shipments, money transfers ... These are all common hot topic items that are likely to cause someone to rush through resolving a seemingly
really important "problem". However if the resolution actually just leaves you filling out a fake form, that then makes a fake problem go away ... The fact that you just gave all of your personal information to some hacking group in a foreign country will most likely go completely unnoticed until one of your - hundred or so - alter ego's defaults on a loan...
Many of these type of soft target attacks also leave you with a bonus key logger (and etc...) as a totally free "parting gift" to see what else you might be inclined to share.
You see the whole point of the exercise is to be obvious as hell so people get cocky and say "Ha! that was stupid" ...Because that way their confidence will ultimately work against them when the one that isn't quite so obvious (because you really were waiting on an X...) shows up and bites them in the ass.
Security is a practice that must be adhered to at all times ... It is not
something you install and then blindly trust to just work.