In the study by Dhamija et al, 23 per cent of the users don't even look at cues provided by the web browser, such as the address or status bars. Many have no idea what the padlock icon means; in fact, one participant confidently asserted that the padlock indicates that the website can't set cookies.and
Instead of browser cues, these people look at the web page itself. Does it "look" and "feel" right? Are there VeriSign logos on the page? How about animations? Does it seem authoritative? In some cases, the padlock icon on the web page itself was enough to convince some that the site was safe, more so than if the padlock was in the browser's chrome.
The site that fooled all but one participant in the study was for [link|http://www.bankofthewest.com|Bank of the West] (that's a link to the real website ... or is it?). On that site was a cute animated video of a bear. Evidently that tickled a number of the users who reloaded the page several times to see that animated bear. In fact, some of the participants said that the animation was proof that the site was legit, since it would take too much effort to copy it!
The ordinary folks in the study also figured that if a site has ads on it, then that increases the likelihood that it's not a fake. Likewise, the presence of a favicon (the little icon that appears in the address bar to the left of the URL) was deemed indicative of a site that was not out to steal your money and identity. Amazing what people glom onto.