Here's a lesson that in retrospect I first absorbed from seeing people fall for what were really rather bad forgeries on Usenet, way back when:

Most people aren't suspicious.

Most people see what they expect to, and don't notice what they don't expect to. If something is missing, people fill it in automatically; if something is vaguely off, people ignore it. You don't need to be good to fool people; you just need to not be bad enough to force them to notice.

We suspicious people find this hard to believe, because to us the faults are so glaring and obvious; how could anyone fall for it? But we're a rarity, and even then we're probably not suspicious outside our sphere of reflexive expertise. (People who are suspicious about everything in their life look at least more than a little bit obsessive.)

(There are some fascinating psychology of perception experiments that suggest that this is in fact more or less innate; people just don't notice things that they consider unimportant at the time. See also here and here, for example.)

This is ultimately not very surprising. Almost all of the time, being suspicious is just extra work, and evolution has been very good at training us to be lazy.

This does a lot to explain the success of phish spams, for example; after all, most of them have obvious problems that are easily picked up by an alert nine year old, yet they still work.

(This makes me think that the only anti-forgery and anti-phish technique that will really work is to figure out what people actually read and then make it glaringly different from what they normally see.)