There is now a Twitter bot that tweets every time somebody fumbled ERC-20 transfer and lost their tokens:
Some few million USD has been lost since Ethereum launch this way.
Best practices of having your user security in mind
User ERC-777 instead of ERC-20, as in ERC-777 smart contracts can reject the send
Add an admin recovery function to your ERC-20 token contracts: