Let me tell ya about what I think phishers will do next: storytelling. By storytelling, I mean they will send out a series of messages to each target that tells a coherent, memorable, and compelling story over time.

First one might start gently, a notice of sort without any hyperlink. Next one might get more alarming like recommending that password be changed. Again, no hyperlink. With each message, a thread of conversation grows and, because each message mentions contents of previous messages, a story develops. When the phisher feels he has built up enough shared knowledge with the reader to lure him or her into complacency, the trigger is pulled.