With all of the awareness today of malware, free anti-virus programs, and aggressive email filtering, it would seem that only the careless or ignorant would manage to get their computers infected.
But phishing still seems to be the most popular way to get an infection. Someone gets an e-mail from their banking institution, with a link to click on and a request to attend to some matter there, but the link goes to a malicious website that mimics the trusted institution website. The elderly must be the most vulnerable to this, as they won't be as sharp to scrutinize such communication. Then there's also the matter of a favorite website becoming infected, to attempt deception while you're visiting it, but I imagine that this is quite rare.
But isn't e-mail filtration strong enough now that the e-mail MUST come from the bank's trusted domain? Anything that doesn't match goes to the spam folder. Or, have hackers come up with a way to make an insertion into the e-mail stream such that their e-mail header will contain the proper routing information from the bank's domain? I just don't get how phishing should still be so effective at creating infections.
Incidentally, there's a UC Berkeley research paper on the subject that is rather interesting: Why Phishing Works