Sites like Web of Trust allow users to share information about phishing sites, but scores of similar tools exist and as it would be counter-productive for each to maintain their own database of phishing sites.

PhishTank centralises phishing reports and allows developers to use their data free-of-charge in their own applications, with manual or automatic download enabled (although the latter requires a free API key).

PhishTank offers a service a lot of web users will use without even realising it. Whilst certain tools might submit their data to PhishTank too, you can help your fellow web users and fight phishers through submitting data directly to PhishTank.

With a free registered account, reports can be submitted through a web interface or through email. It is extremely easy to send the next phishing attempt that manages to get through your spam filters to PhishTank. Providing you have that email address registered with them, all you have to do it forward it to phish (at) phishtank.com .

Whilst it might not directly benefit you to do so, you are helping users who might help you too. If nothing else, you are keeping your credit card interest rate down marginally, as your bank has to pay less out to compensate phishing victims!

Anti-Phishing toolbars and implementations in the major browsers are useful but can, as you will see, give the user a false sense of security. This can be attributed to the fact that databases that contain the information are not updated in real time. Someone has to report a phishing website before it will be added to the database, it would be more than difficulty to create a automatic solution for this problem.

A second difficulty are new techniques used by hackers that are not detected by ant-phishing toolbars and implementations.

Flash Phishing

Anti-Phishing toolbars do check the page content for signs of phishing but do not analyze flash objects at all. Hackers know this and tend to use this to their advantage by using flash to emulate the original website. Users tend to believe that the site is “clean” because their anti-phishing toolbar did not react to it.

It is however relatively easy to find out if the current website is fake.

1. You need to take a look at the url in the address bar. If it is not the original address leave it immediately.
2. Check if it is using https instead of http. If it is using http leave the site immediately.
3. If it is using https check the certificate.
4. If the site is only using flash leave it.
5. Never follow links in emails (unless you know the person)
6. Never follow links in chats (unless you know the person)

You should immediately contact the supposed owner of the website and ask for advice.

Social Phishing

Phishers use other means of getting sensitive data from users. We all know that we should contact the company if we have doubts about a website. What if you would receive a mail from your bank asking you to call them back because there was a security breach ? Would you call them back ?

What if the number was redirecting you to someone in China speaking fluent English ? Would you give him the information he would be asking for to verify´that you are the customer ? Sir, we need to make sure that you are indeed our customer. Could you please supply your credit card information so that I can verify your identity ?

This is not a huge market yet but it will grow over time.