There are anti-phishing websites which publish exact messages that have been recently circulating the internet, such as
FraudWatch International and Millersmiles. Such sites often provide specific details about the particular messages. As recently as 2007, the adoption of anti-phishing strategies by businesses needing to protect personal and financial information was low. There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. These techniques include steps that can be taken by individuals, as well as by organizations. Phone, web site, and email phishing can now be reported to authorities, as described
below.
User training intended to educate citizens about phishing tactics Effective phishing education, including conceptual knowledge and feedback, is an important part of any organization's anti-phishing strategy. While there is limited data on the effectiveness of education in reducing susceptibility to phishing, much information on the threat is available online. Security awareness training helps users to identify common phishing indicators, which include • Requests for information • Mismatches between emails and URLs • Unusual greetings • Typos and errors • Urgent asks • Unusual attachments • Low-quality graphics Nearly all legitimate e-mail messages from companies to their customers contain an item of information that is not readily available to phishers. Some companies, for example
PayPal, always address their customers by their username in emails, so if an email addresses the recipient in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing. Furthermore, PayPal offers various methods to determine spoof emails and advises users to forward suspicious emails to their spoof@PayPal.com domain to investigate and warn other customers. However it is unsafe to assume that the presence of personal information alone guarantees that a message is legitimate, and some studies have shown that the presence of personal information does not significantly affect the success rate of phishing attacks; which suggests that most people do not pay attention to such details. Emails from banks and credit card companies often include partial account numbers, but research has shown that people tend to not differentiate between the first and last digits. A study on phishing attacks in game environments found that
educational games can effectively educate players against information disclosures and can increase awareness on phishing risk thus mitigating risks. The
Anti-Phishing Working Group, one of the largest anti-phishing organizations in the world, produces regular report on trends in phishing attacks.
Technical approaches A wide range of technical approaches are available to prevent phishing attacks reaching users or to prevent them from successfully capturing sensitive information.
Filtering out phishing mail Specialized
spam filters can reduce the number of phishing emails that reach their addressees' inboxes. These filters use a number of techniques including
machine learning and
natural language processing approaches to classify phishing emails, and reject email with forged addresses.
Browsers alerting users to fraudulent websites Another popular approach to fighting phishing is to maintain a list of known malicious sites and verify URLs against that list in real time. These browsers often source their intelligence through trusted security partners or specialized
browser extensions, such as
Google Safe Browsing,
Microsoft Defender Smartscreen,
Bitdefender TrafficLight, uBlock Origin Lite, Netcraft Extension and Blue Arca PhishGuard. Web browsers such as
Google Chrome,
Microsoft Edge,
Mozilla Firefox,
Safari, and
Opera all contain this type of anti-phishing measure.
Firefox 2 used
Google anti-phishing software. Opera 9.1 uses live
blacklists from
Phishtank,
cyscon and
GeoTrust, as well as live
whitelists from GeoTrust. Some implementations of this approach send the visited URLs to a central service to be checked, which has raised concerns about
privacy. According to a 2026 study by
AV-Comparatives, Avast Secure Browser and Norton Security Browser were found to be most effective at detecting fraudulent sites, blocking 94% of phishing URLs, while Google Chrome blocked 72%. An approach introduced in mid-2006 involves switching to a special
DNS service that filters out known phishing domains. To mitigate the problem of phishing sites impersonating a victim site by embedding its images (such as
logos), several site owners have altered the images to send a message to the visitor that a site may be fraudulent. The image may be moved to a new filename and the original permanently replaced, or a server can detect that the image was not requested as part of normal browsing, and instead send a warning image.
Augmenting password logins The
Bank of America website was one of several that asked users to select a personal image (marketed as
SiteKey) and displayed this user-selected image with any forms that request a password. Users of the bank's online services were instructed to enter a password only when they saw the image they selected. The bank has since discontinued the use of SiteKey. Several studies suggest that few users refrain from entering their passwords when images are absent. In addition, this feature (like other forms of
two-factor authentication) is susceptible to other attacks, such as those suffered by Scandinavian bank
Nordea in late 2005, and
Citibank in 2006. A similar system, in which an automatically generated "Identity Cue" consisting of a colored word within a colored box is displayed to each website user, is in use at other financial institutions. Security skins are a related technique that involves overlaying a user-selected image onto the login form as a visual cue that the form is legitimate. Unlike the website-based image schemes, however, the image itself is shared only between the user and the browser, and not between the user and the website. The scheme also relies on a
mutual authentication protocol, which makes it less vulnerable to attacks that affect user-only authentication schemes. Still another technique relies on a dynamic grid of images that is different for each login attempt. The user must identify the pictures that fit their pre-chosen categories (such as dogs, cars and flowers). Only after they have correctly identified the pictures that fit their categories are they allowed to enter their alphanumeric password to complete the login. Unlike the static images used on the Bank of America website, a dynamic image-based authentication method creates a one-time passcode for the login, requires active participation from the user, and is very difficult for a phishing website to correctly replicate because it would need to display a different grid of randomly generated images that includes the user's secret categories.
Monitoring and takedown Several companies offer digital risk protection (DRP) services to detect, block, and take down malicious websites, social accounts, applications, and digital infrastructure impersonating legitimate organizations. While early tools required extensive manual oversight, modern vendors like
Netcraft,
ZeroFox and
Recorded Future have moved toward higher levels of automation to combat the speed of AI-driven phishing. Individuals can contribute by reporting phishing to both volunteer and industry groups, such as
cyscon or
PhishTank. Phishing web pages and emails can be reported to Google.
Multi-factor authentication Organizations can implement two factor or
multi-factor authentication (MFA), which requires a user to use at least 2 factors when logging in. (For example, a user must both present a
smart card and a
password). This mitigates some risk, in the event of a successful phishing attack, the stolen password on its own cannot be reused to further breach the protected system. However, there are several attack methods which can defeat many of the typical systems. MFA schemes such as
WebAuthn address this issue by design.
Legal responses on how to file a complaint with the
Federal Trade Commission On January 26, 2004, the U.S.
Federal Trade Commission filed the first phishing lawsuit, against a Californian teenager suspected of creating a webpage mimicking
America Online and stealing credit card information. Other countries have followed this lead by tracing and arresting phishers. A phishing kingpin, Valdir Paulo de Almeida, was arrested in Brazil for leading one of the largest phishing
crime rings, which in two years stole between and . UK authorities jailed two men in June 2005 for their role in a phishing scam, in a case connected to the
U.S. Secret Service Operation Firewall, which targeted notorious "carder" websites. In 2006, Japanese police arrested eight people for creating fake Yahoo Japan websites, netting themselves () and the
FBI detained a gang of sixteen in the U.S. and Europe in Operation Cardkeeper. Senator
Patrick Leahy introduced the Anti-Phishing Act of 2005 to
Congress in the
United States on March 1, 2005. This
bill aimed to impose fines of up to $250,000 and prison sentences of up to five years on criminals who used fake websites and emails to defraud consumers. In the UK, the
Fraud Act 2006 introduced a general offense of fraud punishable by up to ten years in prison and prohibited the development or possession of phishing kits with the intention of committing fraud. Companies have also joined the effort to crack down on phishing. On March 31, 2005,
Microsoft filed 117 federal lawsuits in the
U.S. District Court for the Western District of Washington. The lawsuits accuse "
John Doe" defendants of obtaining passwords and confidential information. March 2005 also saw a partnership between Microsoft and the
Australian government teaching law enforcement officials how to combat various cyber crimes, including phishing. Microsoft announced a planned further 100 lawsuits outside the U.S. in March 2006, followed by the commencement, as of November 2006, of 129 lawsuits mixing criminal and civil actions.
AOL reinforced its efforts against phishing in early 2006 with three lawsuits seeking a total of under the 2005 amendments to the Virginia Computer Crimes Act, and
Earthlink has joined in by helping to identify six men subsequently charged with phishing fraud in Connecticut. In January 2007, Jeffrey Brett Goodin of California became the first defendant convicted by a jury under the provisions of the
CAN-SPAM Act of 2003. He was found guilty of sending thousands of emails to
AOL users, while posing as the company's billing department, which prompted customers to submit personal and credit card information. Facing a possible 101 years in prison for the CAN-SPAM violation and ten other counts including
wire fraud, the unauthorized use of credit cards, and the misuse of AOL's trademark, he was sentenced to serve 70 months. Goodin had been in custody since failing to appear for an earlier court hearing and began serving his prison term immediately. == Notable incidents ==