Cross Site Scripting is a web application attack which is also known as code insertion attack. It is basically of two types
1) Insertion of script in the server side, for example in the database content. Hacker may insert the script in the database by using forum postings etc. These scripts gets executed when user browses that page which uses the content having the hidden scripts.
2) Insertion of script content in the URL. Hacker may send these URLs by the channel of email. When user gets the email and clicks on the link script gets executed on the system and will become active when user enters the credentials to get into the site. Script captures the credentials and post those details to the hacker site behind the scene. Some times attackers uses URL encoding/ UTF encoding / ASCII representation of the URL parameters so user think it as a genuine data and clicks the URL.
NEVER click the bank URLs coming in the email. Generally bank's don't send there site URL in the emails.
I liked the White Paper which talks about this attack in detail. It talks about how these attacks are exploited and what can be done to prevent these attacks. You can also visit XSS Faqs section for further reading.
Google also had the XSS vulnerability which was fixed earlier this year.