A few years ago, researchers at Harvard University and UC Berkeley published a rather interesting study about phishing. After running a usability study to see how well people can detect phishing attempts, they found that:
23% of the study's participants did not look at the address bar, status bar, or the security indicators
68% proceeded without hesitation when presented with popup warnings about fraudulent certificates
90% were fooled by good phishing websites.
Neither education, age, sex, previous experience, nor hours of computer use showed a statistically significant correlation with vulnerability to phishing.
[expand full text]