While trying to dig up the conversion rate for phishing attacks in the previous post, I stumbled across some very interesting findings from paypal on their anti-phishing techniques. Paypal has actually managed to put together a fairly decent anti-phishing program. Most importantly – it works! (It is amazing how many people implement anti-phishing strategies that don’t work). They have implemented a multi-pronged approach to combating phishing, smartly realizing that there is no single strategy that will work. You can read their whole white paper (which I highly recommend), but here are the highlights:

• Implement Sender Policy Frameworks (SPF).
• Implement DomainKeys Identified Mail (DKIM).
• Work with ISPs to enforce those previous two.
• Use EV certificates
• User education
• Publish blacklist data
• Block old browsers
• Offer two-factor authentication
• Pursue litigation against fraudsters
• Two factor authentication

Honestly this looks like a pretty good and fairly comprehensive anti-phishing program. Some of those things (SPF and DKIM in particular) are things which have had an immediate impact for Paypal, and should have an immediate impact for anyone who implements them. They can also be implemented for minimal cost. IMHO, the industry should be getting behind these initiatives big time as it will have an almost immediate positive impact on their bottom lines, as well as making users happier with less spam.