How can a phishing attack possibly work with e-mail filtration?

[cytherian]

With all of the awareness today of malware, free anti-virus programs, and aggressive email filtering, it would seem that only the careless or ignorant would manage to get their computers infected.

But phishing still seems to be the most popular way to get an infection. Someone gets an e-mail from their banking institution, with a link to click on and a request to attend to some matter there, but the link goes to a malicious website that mimics the trusted institution website. The elderly must be the most vulnerable to this, as they won't be as sharp to scrutinize such communication. Then there's also the matter of a favorite website becoming infected, to attempt deception while you're visiting it, but I imagine that this is quite rare.

But isn't e-mail filtration strong enough now that the e-mail MUST come from the bank's trusted domain? Anything that doesn't match goes to the spam folder. Or, have hackers come up with a way to make an insertion into the e-mail stream such that their e-mail header will contain the proper routing information from the bank's domain? I just don't get how phishing should still be so effective at creating infections.

Incidentally, there's a UC Berkeley research paper on the subject that is rather interesting: Why Phishing Works

 

[HAVOC]

You can't fix stupid.

I think the only way to slow it down is to educate everyone, not just the elderly. Tell them that if they get an email from a bank, delete it and go to the bank in person to ask about the email. The same goes with other email, just delete them.
You would need filters setup to delete these types of emails.

 

[MilesAhead]

Likewise if you get some communication from an outfit where you have an online account that looks like it could be legit, don't go through a link in the email. Just browse to your account online and log in. If something is really going on there should be a notice you can read there.

 

[Alejandro85]

Most people don't care at all about security, that's it. They just want to click a link and make something work, and don't look into the details that reveal a phishing attack.
That's why many banking sites send the mail "We don't ask personal info by email, don't click any link", but really many people don't care at that.

Common sense should be the very first line of defense, and is THE most effective one. So antiviruses came to try to comply that function.