When looking at the question of phishing, it's important to have a clear definition of it. This article defines phishing as spoofed messages which allegedly come from a (financial) organization and which are designed to trick the user into giving up confidential information. This is strictly a matter of social engineering, and once malware is involved, the attack can no longer be considered phishing. The never ending stream of phishing emails and phishing construction kits clearly demonstrate that phishing is still a very effective way of getting users to give up their credentials. There are several reasons for this. Firstly, user education has not had the desired effect, and people are still clicking on the links included in phishing email. Related to this, users are either unaware of security mechanisms (such as https), don't pay sufficient attention to them, or simply ignore warnings about invalid or un-trusted web site certificates. Additionally, in an effort to maximize their returns, cyber criminals are constantly devising ever more ingenious social engineering schemes to deceive the more security-savvy user.
The second problem is that the defences of the majority of financial institutions can be breached by a very simple (phishing) attack. A quick review of the security measures taken by a number of banks in the USA, UK and elsewhere showed that they employ a simple static username and password to access the online banking system. All a cyber criminal has to do is obtain the username and password and s/he is free to perform almost any transaction. Another disadvantage of using a static username and password is that data can be stored and this means that unauthorized users or cyber criminals don't have to process the data in real time; this job can be done later. Banks which have better security policies will use at least one dynamic password: a single-time password that is only valid during a specific session. This dynamic authentication can be used either when the user logs on or signs a transaction and preferably both. Using this approach means it is impossible to sign a transaction with an expired password, and ideally makes even logging on impossible.