The sentence "Your session has expired. Please log in again." might let user guard down, especially if they didn't tick or don't remember whether they tick "stay logged in forever".
True, but in that case the user should still never log back in via a link he got from someone else. He should instead do it from his bookmarks or whatever method he uses. I have opened my profile thousands of times, so I usually start typing Pmal... in the address bar which takes me to bitcointalk and I am logged in after a few clicks.
NotATether makes a good point as well. There is no recaptcha in the picture from the fake site.