Phishing attacks against EBay, PayPal and all the major Banks are all too common. The latest news on phishing is an attack impersonating the IMF (International Monetary Fund). The response from the IMF is typical of all other impersonated organizations which can be summarized in to this single sentence: "We told you to be vigilant so don't blame us if you're conned". Unfortunately, the burden to fight phishing is on the consumer many of whom are least equipped to deal with the problem. This leaves us wondering if sending out a single obligatory warning really the best an EBay, a Bank or IMF can do.
S/MIME is the most ubiquitous and universally compatible email cryptography solution in the world and costs about $60 per year per verified sender. It would almost be impossible to find an email client that doesn't at least support the reading and verification of S/MIME emails. Not only does S/MIME have the ability to encrypt messages, but it can digitally sign them. When you get an email that has a valid digital signature, it has an obvious certificate logo on it.
While nothing is full proof against social engineering or look-alike email domains and not everyone will know to look for the S/MIME logo in an email from a major institution, it at least gives users a simple way to verify the source and authenticity of an email. Back in May when 300 Banks home pages being hosted by Goldleaf Technologies were hacked, the compromised Banks actually sent out emails that looked like phishing emails telling users they may have been compromised and that their passwords have been reset. To add credibility to their emails notices, the Banks sent out identical physical snail mails which certainly would have cost a lot more money than a simple S/MIME certificate and it wouldn't have been as confusing. S/MIME is such a cheap and effective way to boost security and combat Phishing that it baffles the mind why no major organization is using it.