Phishing is a very serious problem that we face. However, banks are the biggest targets. What methods can a bank use to protect its self from phishing attacks? What methods should someone use to protect themselves. Why does it stop attacks?
Use an EV SSL certificate, and then put a message on your login pages that tells users to look for the EV Signature in their browser.
Make it clear in your emails that your bank will never ask a user for their password. Setup a special email dedicated to phishing so customers can send you suspected emails, and you can then notify customers.
IMO, the best thing that a bank can do is to educate it's users on when and how they will communicate with them. Many users have no idea about what phishing is and so showing them examples and raising their awareness about fraud will do more than any technical solution (though the technical side should be pursued just as aggressively). A user aware that phishing can occur will be far less likely to fall prey to it.
Phishing usually works by directing the consumer to a scraped version of the website. One method that's starting to be more common is a dynamic website, where after entry of username and before entry of password, the bank site reveals some image or phrase chosen by the consumer, which I will call the counter-password. In essence, not only must the consumer present a valid password, so does the bank. Mutual authentication.
The phishing site cannot display the correct counter-passwordwithout querying the bank, and this gives the bank an opportunity to detect, confound, and prosecute the proxy.
This can be enhanced with use of an out-of-band communication channel. If the IP address making the request (which would be the proxy, possibly via onion routing) isn't one the consumer has logged in from before, send the consumer an SMS with a one-time code they must additionally use before the counter-password is revealed and login enabled.
Other methods are for the browser to cache the correct server certificate and tell the consumer when they visit a site without a cached certificate, thus warning the consumer that this isn't the familiar site they've used before.
The best way to prevent phishing attacks should rely on technical means that don't require the user to understand the problem. The target audience will always be large enough to find someone who gets fooled.
A good way to prevent from attacks is to use an authentication mechanism that doesn't rely on a simple pass phrase or transaction authentication number (TAN) that an attacker can steal.
Existing methods e.g. use dynamic TANs (Indexed TAN or iTAN), or a TAN submitted on a separate channel via SMS (mobile TAN or mTAN), or - most secure and also preventing from real-time man-in-the-middle attacks - require the user to sign each transaction, e.g. using DigiPass or a smartcard.
The reason that this is not widely implemented is probably that it is still more cost-effective for banks to pay for the damage from phishing attacks than investing in security.
The easiest way to mitigate it from a bank perspective would be to educate customers upon account creation that (a) the bank does not have the customer's e-mail address, so it simply can't send mails to them and (b) send a letter to every existing customer once, explaining the same.
For the customer this has the benefit that they will know that whenever they receive a mail claiming to come from their bank it can't be real.
I recommend analyzing online banking fraud based on the types of attacks: stolen credentials, Man-in-the-middle and malware/man-in-the-browser and how authentication can thwart them: two-factor authentication for sessions, mutual authentication to prevent MITM and transaction authentication for MitB. I wrote an article about this in 2006: http://www.bankinfosecurity.com/articles.php?art_id=115&pg=1 and I wrote a doc tutorial on mutual https authentication: http://www.howtoforge.com/prevent_phishing_with_mutual_authentication. EV certs are little additional value for many of the same reasons that standard ssl of little value: no one knows how to validate a certificate and the UI cannot be trusted. Using images is of no valued and makes for a really annoying user experience.
While SMS is better than static passwords, you are then relying on the security of the cell carriers. However, since they have so many users and increasing the security of their systems means more helpdesk calls, incentives are not aligned. Also, please reference the latest snafu with the iPad email addresses where even basic security principles were not followed.
Banks need to get serious about designing systems and/or using vendors that base their architecture on solid security principals and follow standard encryption techniques rather than marketecture with an eye towards meeting miniumum compliance standards.