In practice, the bad guys are not getting credit card numbers by monitoring unencrypted plain text email connections. They're doing it by getting the information in bulk straight out of databases at the destination (either by hacking or by getting unscrupulous employees to sell them data dumps). My opinion is that the risk factor in sending a CC number over email is much smaller than the risk of giving it to the destination organisation in the first place. And even if you do get unlucky, as a consumer you don't usually end up out of pocket for fraudulent transactions on your card.