Its masterstroke is its spot-on mimicry of banker boilerplate (and for that matter of techy install-prose) as it walks the recipient through the steps required to install the digital certificate that will enhance their security and simplify their bank's sign-on process.
What's installed, for those who bite at the fly phish, is a trojan that then captures passwords, account numbers etc.
The user is never once asked for an identifying number or piece of confidential information.
This one is smooth and polished, with a razor-sharp barb that might prove more effective than the "we need your password" approach that has long-since approached and passed the point of diminishing returns.
F-Secure has a nice YouTube video of the scam here.