This type of attack is most effective where trust relationships exist between machines.
For example, some corporate networks have internal systems trust each other, a user can login without a username or password as long he is connecting from another machine on the internal network. By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without authenticating.
Some upper layer protocols provide their own defense against IP spoofing.
For example, TCP uses sequence numbers negotiated with the remote machine to ensure that the arriving packets are part of an established connection. Since the attacker normally cant see any reply packets, he has to guess the sequence number in order to hijack the connection.
After your browser has been fooled, the spoofed web server can send you fake web pages or prompt you to provide personal information such as login Id, password, or even credit card or bank account numbers.
The main reason is that it exploits attributes of human behavior: trust is good and people love to talk. Most people assume that if someone is nice and pleasant, he must be honest. If an attacker can sound sincere and listen, you would be amazed at what people will tell him.