These are suggestions for developers to protect against phishing attacks that may use your site to target your users for phising attacks.
Phishing attacks are a social engineering attack that targets the users of your site. At its simplest the phisher will send an email to your users that appears to be from you, and requests they click on a link that will take them to another site, that looks like your site, and asks them to update or verify their personal information. Once that is collected the user then becomes a victim of identity theft by the criminals.
So the main defense involves educating the users on how they can avoid being tricked into responding to these type of attacks.
On your website
Policies
Create a policy that defines precisely what you will do and NOT do during communications with the user. Make the policy as easy to understand as possible, no legalese. Make sure the policy is easily visible on the website.
Encourage end users to install and update anti-virus and anti-spyware software.
Make it easy for users to report possible scams involving your site through a feedback forum or email address.
Place a warning on website that you will prosecute phishers and scammers.
Provide help to users that have been victimized.
Coding
Do not use popups and inform the user you will never use a popup and to inform you if it happens.
Prevent sites that may frame your site
Use the TARGET directive to create a new window
<a href=”http://www.yoursite.com/” target=”_top”>
Check the DOM model to reject any access from frames.
Do a referrer check on your web page, this will stop links from emails.
Protect your site from XSS attacks.
Always use the domain name and not ip addresses for your site.
Disable unused accounts.
Protect your data
Don't store or display data that is not needed by the user.
Don't ever display the password.
Validate that data is internally consistent, for example a florida address with a california zip could be a warning sign..
Setup daily access limits for unverified customers.
Consider only shipping to a users billing address.
When updateing an email or physical address, send notification to both addresses.
Never display passwords, use a one time limited password to recover passwords.
Consider emailing activity logs to user to confirm valid activity.
Limit transactions from a single user in a given time period.
Check for multiple addresses using the same shipping address.
Forensics
Use watermarked images and change the watermarks often, this can give a time frame of when the image was used on a phishing site.
Investigate web logs for spiders that go through all you web pages and images, note ip addresses.
Communicating with users
In emails dont provide links to click if possible, and explain to the users that they should type the url into their browser.
Use consistent branding and a single url for users to access to reduce confusion.
Always inform them that you will never ask for any personal information through email.
Reduce information in email, direct users to your website where you can provide the information.
Consider text only email rather than HTML
Don't use shortened url services, always use our base URL
Don't send email that an account lockout has occurred, simply provide email or phone number for them to call. Or even better phone the person directly.
More information:
Anti-phishing working group
http://www.antiphishing.org/
