Often security professionals call this "socially engineered" attacks. They usually happen on the Web by tricking you into going to a webpage that looks like your bank website, your PayPal site, Facebook, etc. But it is not your bank, Paypal, nor Facebook. It is a fake webpage that looks just like the real thing. Why? So you will attempt to "login" to it and give them your logon and password.
How do they get you tricked into going to their fake website? Usually by sending you a very persuasive email or Facebook post that looks like it is official and from your bank, PayPal, or a friend on Facebook, etc. and the email or Facebook post tells you something like:
"You need to update your account information..."
"There has been a suspicious purchase occure using your account. Please click on this link (real looking weblink) to verify if this was actually your purchase."
"This the most funny video ever! Go to http://funnyvideos.co.tv/34ctv1.html to watch it"
"I lost 7 pounds in a week on this great diet. Go to http://healthydiets.com to read about it"
Once you click on the link they provide: you will probably be prompted with a very official looking login page. And once you attempt to login, they got your logon and password! Why would they want your Facebook logon/password? Because the logon is your email address, and the password is likely the same as password that you use for your email account. They quickly logon to your email account and they discover by your emails what other accounts you have (like ebay or amazon, etc.) and they attempt to logon to those. If they can't, they request to change the password, since they can approve the change via your email account. Then, in case you get access back to your email account, they use the "Forwarding" email setting in your email account so that every email you get, gets also forwarded to their email account. etc. etc.
Important points: make sure your critical email account password is different from all your other passwords! If you have been "phished" it would be wise to quickly go to all accounts that potentially could have been accessed and change the password to a new one.
Many of the "paid for" security products have components that help to warn and protect you from these types of websites and emails, but they are no replacement for you exercising caution! Banks and payment services will never send you an email requesting login information. A good way to help protect you from these things is to only go to your bank or payment service by typing in the URL to the website yourself.
Note: Phising scams are also done via the phone. They call you with some real emergency (could even be a serious allegation against you, and they are some kind of law enforcement) with the intention to get you worked up. You must give them key identity information for them to verify that you are, or are not a certain person. Sometimes they already have certain information about you so they seem very official.