One to do - NEVER click links in e-mail you're not expecting, always open a browser and type in where you've been told to go and log in normally - if theres nothing to be said there then its a scam. (although that only works if you haven't had a DNS/hosts file attack beforehand)

Secondly, i always forward scam, and spam somtimes e-mails will full headers to abuse@domain.com (where domain.com is where the email was pretending to be from, or in the case of normal spam, the originating ISP for the originating IP in the header)

"Two in five UK adults (42 per cent) quizzed feel that their trust in a brand would be "greatly reduced" if they received a phishing email purporting to represent it."

That must be the 42% who don't actually *have* email and so don't realise that *every* bank on the high street is regularly phished. Either that or these people are banking with someone that they have greatly reduced trust in.

Can anybody tell me why a lot of major UK banks still don't have published SPF records? That would make blocking the phishing attempts much easier.

That the reliance on email has led to this state of events. It's amazingly easy to ignore phishing emails, amazingly easy to avoid most spam and scam mails and apparently most people are amazingly stupid and don't do these things.

I wouldn't go so far as to say they deserve to be phished but this is a social phenomena, we have given stupid people advanced technology and then let cleverer people fleece them.

It's a bit like being in Government.

@Dave

"Secondly, i always forward scam, and spam somtimes e-mails will full headers to abuse@domain.com (where domain.com is where the email was pretending to be from, or in the case of normal spam, the originating ISP for the originating IP in the header)"

Who can usually do nothing at all about it, since as you say it was "pretending to be from" them. Even sending them the headers merely means that they are then in the position of having to check that the source is a botnet that they can't do much about.

So all this does is to hassle the innocent, and turn the "abuse@" into a global spam receptacle where the site owner would be unable to find legitimate complaints about their site or services.

I like the idea somebody gets a phishing email "from their bank" Barclays, they immediately distrust the bank ... next, they get a nice e-mail from Bonsons Bank in Nigeria with bad spelling, since they're looking for a new bank, they join up!

"That must be the 42% who don't actually *have* email and so don't realise that *every* bank on the high street is regularly phished."

These are the also the 42% who do not understand banking and finance and are the same people who panicked and withdrew their savings out of the perfectly healthy Northern Rock thus causing an even worse cash-flow crisis for NR. Branson and his mates must be laughing all the way to the bank (literally) for picking up a bargain.

I am surprised how few (if any) of the banks have their website images set so they can only be served from known authorised pages. Sure, changing that would just mean that phishing sites would use copies rather than the real thing (as many do already), but anything to make the scammers' task more complicated has to be a good move, surely?

Even better, don't block the images altogether, but serve alternative versions saying "You're being scammed". Get the logic the right way round, though - even if in some cases it might be hard to tell the difference!

@PolicyWatcher

"Who can usually do nothing at all about it, since as you say it was "pretending to be from" them. Even sending them the headers merely means that they are then in the position of having to check that the source is a botnet that they can't do much about."

Granted they can't stop more ails being sent out, but most of the banks do work hard to get the phishing sites shut down asap. If it's forwarded to them properly they have the address of the scam site, so are able to work on shutting it down. It's in their financial interest after all - they have to refund customers who lose cash when the account's been compromised.

(I know it's ultimately our money that goes, but they want some for their fat cats too.)

"It's in their financial interest after all - they have to refund customers who lose cash when the account's been compromised."

So why don't they set SPF records, which would enable mail admins to block the vast majority of the phishing attempts with a simple lookup? It's very easy: even I can do it. I'm not normally a conspiracy theorist, but there's a hidden agenda here somewhere. Nobody can be that incompetent accidentally.

Its actually a good point, I get fake for almost every bank you can name but I cant remember the last one I got for hsbc.co.uk. SPF isnt always effective because its dependant on mail severs supporting it, however the more servers that actively enforce SPF records the more impact it will have.

contacting the abuse@domain email is important as most of these types of emails come from virus's/trojan's on people's pc's, so while the spam was not intentionally sent by the user's machines, their connections were used and ISP's need to know so they can get in touch with their customers and get it fixed.

"It's very easy: even I can do it. I'm not normally a conspiracy theorist, but there's a hidden agenda here somewhere. Nobody can be that incompetent accidentally."

Mmm, maybe. I can say they're not incompetent accidentally, more ignorant/oblivious than a conspiracy.

Marketing departments worry too much that the stuff they send out might not get to it's intended recipients. Honestly, I've actually seen people in marketing shun perfectly good suggestions and upper management side with them although the suggestion is to protect customers. They generally change their minds when they find out the true size of the security hole and have a very good style phishing attack shown to them.

I may even suggest the SPF to the Techdesk at my bank. You never know, sometimes all it takes is a flash of a torch light to set them on the right track.