A trick malware distributors use is adding a JavaScript-based time delay to their phishing pages. It's slightly more annoying for scanners to detect than just an UA switch.