The contract address is shown in the Mist/MetaMask prompt. Checking that when you first deposit would be sufficient. (Sure, it's probably true that many users would fail to check that, but I think it counts for something that there is an obvious way that anyone could verify what they were committing their funds to.)
