If I got a phishing email it might ask me to login to my Halifax Bank account and provide a link. This link could be to Halifax.com.sh.ly/login or some such thing.
As an end user I might see the Halifax part of the url at the beginning of the address and feel comfortable entering my credentials. If this was hidden and all I saw was sh.ly then I'd know I was on the wrong website.
You and I might be comfortable seeing that from the address bar right now but I expect 80% of users would struggle to see that.
Instead of seeing a very-very-very long URL that may contain legit words and pushing domain name out of the view, the user sees only the domain name. And if the user came to the Bank of America, but the domain is some hackedtravelagency.co.kr, it's more likely to ring bells.
But how observant are most people? www.halifaxbank.com vs www.halfaxbank.com for instance is a very minor difference. Remember that people misread things all the time, and the more comfortable they are with a string the less likely they are to actually read it.
I suspect the opposite would be true. Non-power users are more likely to be fooled by the (arbitrarily-chosen by attackers) URL path-info. This focuses relatively more attention on the domain and secure-indicator.
