Phishing works, but the method I use is more common sense than anything.
You post an account with good gear, like some T6 (But not full T6) and give a good paragraph or so as an explanation. Then, tell the person you are dealing with that you are extremely experienced in trading accounts, and you spent far too long on your account to give up your information first. Start trading SQAs, first and last names, then a fake email confirmation. Finally the account names, and password. Give them the info to an account you banned (If available) or a trial. Or none at all, the account is now yours. Actually, you may do well by asking for CD keys, and even a picture of an ID. (If you are good enough at social engineering to get away with it)
Just stay cool, type well thought out sentences, and try not to misspell anything. Go in depth, and make sure you can answer any and all questions about the account.
For ingame gold, it's a bit easier.
As far as a TCG scam goes, post in trade
Code:
/2 I recently won a WoW TCG tourny , won a booster box, got a few loot ones PST me for prices
They will then ask you for what loot cards did you get. Say you have enough points for all the tabards, and the Trinket, as well as the Ogre costume. You also have some disco balls, a few nether rockets, and one Spectral Tiger. Then name your price.
The trade can go two ways. What I do usually is, he opens trade with half the gold, then once he sees the code he pays me. I tell him he can test the code, and come back to me for a refund if it doesn't work, or pay me the rest if it does. I then invite myself to my guild, put the g in the bank, and delete the toon.
You can try and use CoD, or Safetrade for that, but my way seems to go smoother.
The above method can be used for selling toons for gold as well.
Hope I helped, didn't mean to write a wall of text, too bad if I wrote a guide I'd get flamed for a common sense post. [>_<]