Buying it or stealing it, usually. It wouldn't be extremely surprising if they had the password needed to access your email too, given how often company's computer systems are hacked to obtain whatver personal information can be obtained.
We live in a world where a sex toy manufacturer bugged their sex toys to record when they were used, where they were used, how long they were used for, what settings were used and the temperature of the body part they were used on and send all that data in a very insecure fashion over the net to the manufacturer (and anyone else who cared to look). And no, I am not making that up. It was one of the multitude of computer security failures, which are so routine that they get hardly any attention even if they are as attention-grabbing as that one. It's just not news.
It's no longer the case that you have to use your email on a suspicious website (if it ever was) because it's now considered not suspicious for a business (online or offline) to sell personal information and it's not even slightly unusual for a system containing personal information to be hacked and the information copied. If you give any personal information anywhere, online or off, it's very unlikely to be secure. It's more likely that they will sell that information than keep it secure unless they think they can profit more from keeping it to themselves (which they will probably fail to do, sooner or later).
It's still unusual for information that can directly access money (e.g. card details) to be compromised, so there's still a lot of scope for thieves to use other personal information to steal money. Posing as a bank is one way of doing so. A good rule of thumb is to assume that any email claiming to be from a bank is from a thief trying to steal money from you. Same goes for any emails that offer you an opportunity to make money, get rid of fat, get rid of wrinkles, get laid, get married...anything that anyone might want, really. Start from the assumption that it's a con.
If you want to check anything that claims to be from any organisation, obtain contact details for that organisation from another source, not the email claiming to be from them, and ask the organisation.
A quick look online shows that there's currently another spate of "Bank of America" scam emails around. It's a popular target because it's an impressive name and it has a lot of customers. If a thief sends out a huge number of emails (which is very easy to do), they're bound to reach quite a few people who actually have had dealings with Bank of America. Same goes for any major bank, of course, which is why they're often used this way. Even if only 1 in 100,000 people falls for the con, that's 10 successful thefts per million messages and that's well worth it to many thieves. Easy bulk communication and money transfer makes this sort of con far easier and thus far more common, but it even happened in the days of physical letters and cheques and postal orders in the post.
Nowadays, it's a good idea to start from the assumption that it's a con. Whatever it is. Always assume a con. If they want information, it's a con. If they want money, it's a con. If they want to sell you something, it's a con. If they want to give you something, it's still a con to set you up for taking something. The classic example of that is the 419 con, named because it originated from Nigeria where it's illegal under section 419 of their law. But always assume it's a con. However it's worded, whatever it's promising, assume it's a con. You will very rarely be wrong. If it claims to be important in a way that ignoring it would cause you problems if it was legit, check as described above.
