There are no silver bullets for phishing. But there are plenty of silver hooks. Here are some pragmatic ones that we could quickly adopt in whole or part assuming we’re willing accept some ill effects. Unfortunately I don’t see that happening in the near future, which is just another way of saying that our phishing pain hasn’t yet exceeded our gain.

Gain you say? Sure. Somehow we’ve completely lost sight of the fact that phishing is fueled by the exact same features (not bugs) that fuel online merchant marketing: HTML email with embedded anchor tags. Click here and buy something there.

Here are some of those silver hooks:

MTA Methods:

• Black hole HTML email. This will undo one of the biggest technology mistakes ever made.
• Strip anchor tags from HTML email
• Neuter anchor tags by adding invalid characters inside the HREF attribute
• Replace anchor tags with “[URL REMOVED FOR YOUR OWN GOOD]“

Email Reader Methods:

• Same as MTA Methods
• Present a mouseover warning (independent of javacript) that warns the user to be cautious
• Present a mouseover warning that dissects the URL into smaller components that the user can hopefully understand

Merchant Methods:

• Find alternative marketing means
• Replace the message in anti-phishing collateral from “how to recognize a phish” to “never click on embedded links in email.”