It did happen to me. A friend was wondering why I’ve sent him a password-looking message over last.fm messaging service. Typing that password took less time than to figure out I’m making a fool of myself (last.fm does need you to authorize to send the recommendation message and I really had a Homer’s D'OH moment).
There appears to be a bug on this filed in 2001.
There is an intersting and very scary presentation on phishing techniques I was pointed to recently that presents studies showing that a majority of tested users disregard hints such as the protocol (https://), the colored URL widget and the lock key completely. But I still believe that presenting this dialog in a distinct way that’s outside the possibilities of document scripts/css is long overdue.