Let's face it, the evidence is that Phishing works and that there is little the banks and other sites can do because anyone can setup a site that looks like another one and lure users to it.

Banks will obviously do what they can to shutdown phishing sites but they only need to stay alive for a short while and fool enough customers to make it worthwhile and it is obviously worthwhile because they keep doing it.

So, the answer is to make it *not* worthwhile.

Someones bank account details with logon information is a valuable commodity and can no doubt to sold or used directly.

What would be less valuable and less use to a phishing site owner is a list of millions of false accounts. Would they be able to sell 10,000,000 useless accounts that perhaps had a few genuine ones sprinked in it?

Perhaps when a phishing site is discovered the banks could deluge it was false account logons thus making the captured list of data practically worthless and adding to the time and effort required to copy the list around.

Would this work? I don't see why not.

Another benefit is that the bank could use the fake account logon information to detect attempts to logon to the accounts and potentially trace the people using the information illegally.