This BBC article claims in a recent study 40% of users failed to spot phony bank phishing websites. The most sophisticated site caught out 90% of the 22 people participating. Here's their advice for you users to avoid getting hooked:
Thinking you don't have to worry about this? Read this. Consider, how many of your users per day are running to their bank website from your corpnet to take care of something?