"Why Phishing Works" is a recent study (PDF) that examines phishing website techniques. The most visually deceptive website spoof in the study was able to fool 90% of the study's participants. That 90% figure includes the most technically advanced users among the participants. It was the look, not the spoofing of security features that did the job - something that our resident phishing expert found quite interesting.
Crossing disciplines and summing up this article published last summer in the journal Neuron - If you don't see something often, you won't often see it. Perhaps you could also say - If you don't see fakes often, you won't often see fakes. Therefore, many phishers while designing visually deceptive phishing sites count less on technical subterfuge than on the failings of the human brain's power of perception. If it looks like what the brain is expecting, then the brain often won't see that it isn't.
Why don't banks allow you to customize your online banking interface with a picture of your preference? Like your own mugshot? Your pet? Your girlfriend? The logo of your favorite team? Your country's entry to the Eurovision song contest? Something that would relate to you - something that you'd miss if it weren't there. There are companies that are working on visual personalization technology; we think it's a good idea that could help to reduce the size of the phishing net.