The one that seems to catch people out is the link which they click on in a mail in gmail.
that takes them to gmail.google.com.myphishingsite.info/sessionexpired
which presents them with a message like session expired please login to your gmail account and the top line already has their email address all they need do is enter their password.
Most people don't question why would that happen a few seconds after clicking on the link
quite possibly because Google and facebook don't take you straight to a link they log it first by an intermediate page and then redirect you to the destination (i see it all the time on my slow connection).
The page looks authentic and they tend not to look at the address bar and see the bolded address myphishingsite.info.
often its a site like fgjfjhki23d.info a random jumble of characters just like the ones a site like google and facebook use all the time. People are used to seeing this sort of thing
e.g http://it.slashdot.org/comment... of this address (taken from the address on this page) only it.slashdot.org make any sense to most people and thier eyes glaze over beyond the initial it.slashdot.org
Thats a problem without any training in website design then its pretty hard to tell the real from the fake.
Thing is once an email account has been harvested it immediately sends out a 100 emails to the address book of that user and the same thing happens again.
Most people think they had thier email hacked not realising they gave away thier password.
kind of hard to stop people for falling for this sort of thing. The emails are even clever enough to redirect to an alternative page once the fake webmail page has been brought up once.
People here would say its because people are stupid, but most people just don't have enough knowledge or interest in this area to know when something is fake or genuine.
It is probably impossible to fix especially when the sites we use everyday use random looking charactor sequences as part of the url.