Re: Don't Just Blame Users
One of the banks I use has a "PIN" security scheme for online accounts that could be phished, rick-rolled and the PIN extracted from the user as follows:
Please enter the following characters from your PIN: [1][3][4]
Authentication failed, please try again.
Please enter the following characters from your PIN: [6][2][5]
Sorry, website closed for maintenance. Please try again later.
Even the bank's official security notices look like phishing attacks, so users are unlikely to spot what is going on.