I see two distinctions in the realm of security: security and illusion of security. An example for illusion of security is: you are asked to fill out forms that claim to protect your PII (Personally Identifiable Information), this gives an illusion that your PII is being protected, whether it is actually being protected is a moot point.

1. Banks and other financial institutions have started to use "sitekey" to protect customers from Phishing threat.

2. IE7 has a Phishing filter built into the browser.

3. There are sites like "scandoo" which can help you categorize web sites and eliminate Phishing and Malware web sites.

4. Multitude of other controls built into to existing security tools to prevent Phishing.

Do these controls really prevent a customer from the Phishing threat?  Check out this interesting research paper which make us wonder about:

1. How do customers react when "sitekey" is missing?

2. Do customers recognize the warning from the Phishing filter?

3. What % of customers know about the existence of tools such as scandoo?

It all boils down to how the customers embrace the technology design else it is only the illusion of the designer that technology is working the way the designer expected it to.

No wonder despite all these controls the Phishing trend has not reduced.

It is time to realize that providing an illusion of security is not enough. Educating customers to embrace technology for better security holds the key. This may involve significant time, cost and energy but that is the right path toward real security.