Look at this thread I made. Now, John Lewis’ general behaviour was unthinkably bad all around (except the very patient and friendly person on the phone - kudos to her!) - the email they sent could have been taken straight out of ‘how to write a phishing message 101’ - but it proves how big of a deal auths can be.