They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.
This is also made harder with the use of CDNs nowadays. A while ago our office started receiving large numbers of "InterFax" notification with a download link. I don't know what a proper InterFax notification looks like, but as you said, they did look professional, and in some cases the URL didn't look too dissimilar to some CDN URLs we've used.
I tend to visit web pages used in phishing attacks for a couple of reasons. First, I like to input useless data. Second, I like to rate what sort of job the scammers did in cloning he web site - I always feel a little let down when I see dead links, as they didn't make the effort to duplicate all the pages linked to by the cloned login page. Seriously guys, put some effort into your scams - the work ethic of the criminal world is really dropping.