Some of the phishing sites are remarkably clever.

A few months ago, Slashdot highlighted a study they had done among experienced IT professionals in which they were shown 20 emails and asked to tell which ones were phishing emails and which were legit. Amazingly, only about 15% of professionals got all 20 correct. I took the test and I think I missed one or two, and I consider myself fairly sophisticated at detecting fakes.

Of course, some are so poorly written/worded that it's amazing anyone would fall for them.