This BBC article claims in a recent study 40% of users failed to spot phony bank phishing websites. The most sophisticated site caught out 90% of the 22 people participating. Here's their advice for you users to avoid getting hooked:
Check the address bar - fake sites are often hosted on domains that have nothing to do with their target. Although eBay owns www.ebay.com it may not own www.ebay-members-security.com.
Retype web links rather than click on them - legitimate-looking links in phishing e-mails often redirect you to fake sites.
Spelling test - some phishing gangs make their own webpages and often they are full of spelling and grammatical errors.
Site security - most online banks use weblinks starting "https" rather than "http".
Naked numbers - Few organisations use raw net addresses in e-mails and seeing one can flag a problem.
Use an anti-phishing toolbar - add-ons to browsers are produced by firms such as ebay, Netcraft, Geotrust, Cloudmark, Comodo and Phishing.net that can flag fake sites. Also worth using is the Site Advisor add-on for IE and Firefox.
Thinking you don't have to worry about this? Read this. Consider, how many of your users per day are running to their bank website from your corpnet to take care of something?