It's amazing how people become drones in front of their computers concerning their personal data, clicking away, typing away and dispensing it without looking and reading in-depth at what's being asked for, by whom and what the purpose behind it is...
If there's any doubt by an end-user about giving out unsolicited info to a company/service provider of some sort regardless of the medium used (e-mail, phone, mail, etc), common sense (dead animal) says that person should make contact to that company's/service provider's customer service by phone/e-mail and inquire/report it immediately OR block/delete/mark as phishing scam, etc.