Even if browsers did this, you can still execute this attack. As long as not all of your users know what the expected behavior is, you can trick them with a fake UI as long as it looks believable.
The goal is not to protect 100% of your users, it is to reduce the number of users who are currently vulnerable. One is possible, one is not. If you can significantly reduce the number of users who will fall for an attack, then it is a success, even if not everyone is protected.