True, but do we know easy means to discern the phishing site from a real one? If we get an unusual query from the "bank", we can always call it or go to the original website and try to find out. However, if there is a software that warns us about the site's possible bad nature, it should be helpful. On the other hand, my trusted iCab has an option for this warning.
P.S. On the Trusteer (Rapport maker) web site there is a list of banks collaborating with it. There are some American ones, generally rather small; most are in Europe.
I've actually written articles about this, most notably
here and
here.
What it comes down to is that phishers rely on a weakness in the human brain. Our brains are designed for pattern matching and pattern recognition, so that we feel a sense of familiarity when we see a familiar pattern embedded in something we observe, and we often stop observing the thing once we recognize a pattern.
So for example if you tell someone "Always look at the URL of a site before you trust it," and a phisher uses a web URL like signin.ebay.com.ws.eBayISAPI.dll.4333737474.ru/?Signin, most people will look at that and say "I have always been told to make sure that the URL says ebay.com and this URL says ebay.com so it must be legitimate." Our eyes tend to quit scanning when we recognize the familiar pattern, and on top of that most folks simply do not understand how URLs work so they do not know that the name of the server is always the part just before the first /, so they don't realize they're actually at signin.ebay.com.ws.eBayISAPI.dll.
4333737474.ru/?Signin and that the name of the site they are on is not ebay.com but rather 4333737474.ru.
You can tell simply by looking at a URL whether you're on a legitimate Web site or not, but it requires two things: first, understanding how to read a URL, and second, training yourself to force yourself to read the whole thing even though your brain is naturally programmed to stop paying attention as soon as you see a familiar pattern.
