Here's an interesting article on the reasons that people get taken in by phishing (in PDF format):

Why Phishing works


This paper addresses the question of why phishing works.
We analyzed a set of phishing attacks and developed a set
of hypotheses about how users are deceived. We tested
these hypotheses in a usability study: we showed 22 participants
20 web sites and asked them to determine which
ones were fraudulent, and why. Our key findings are:

• Good phishing websites fooled 90% of participants.

• Existing anti-phishing browsing cues are ineffective.
23% of participants in our study did not look at the
address bar, status bar, or the security indicators.

• On average, our participant group made mistakes on
our test set 40% of the time.