Thanks for replying Mark.
I do already have the option checked to scan files outside my WordPress installation, and this directory is not picked up. But also, I may have given the wrong impression by saying 'web root' - it is the root of the WordPress installation - i.e. the directory containing wp-login.php, we-config.php etc. In my setup this is the same as the web root.
While trying to verify and reproduce this behaviour, I placed files with eval and base64_decode( in them and I can confirm that indeed WordFence does scan the ' .' directory. I can only guess that the phishing files did not contain anything that looked malicious! :(
However, in trying to find out why I didn't manage to detect these files I have noticed a related issue (please let me know if it is better to start a new thread):
Even when I have directories containing files that look malicious in a scan, and are noted as "File type: Not a core, theme or plugin file." I still don't find them under "Files found that don't belong to WordPress Core or known Themes and Plugins". That page always just states "You either have not completed a scan recently, or there were no files found on your system that are not in the WordPress official repository for Core files, themes and plugins."
Should those files not appear here? Or am I misunderstanding what files I should see there?