- Use SSL to protect their entire site and deliver all content. EV SSL certificates may be even better. See the following article: http://www.digicert.com/extended-validation-ssl.htm
- Use a single domain for all parts of the site that you are asking users to trust or interact with. For example, the login credentials should be on a page that clearly belongs to the bank. (Note: It is possible to do so while working with an external service provider by proper use of SSL certificates.)
Once most banks do that, the message to educate the customer becomes very simple. Here is the message to customers:
- Customer should ALWAYS check that the URL for their bank starts with HTTPS. Otherwise, assume it is NOT from the bank.
- Customer should always check the hostname in the URL is the bank's (show pictures to explain this). If it is not, assume the page is NOT from the bank despite the https.
The changes should be simple to implement by your service provider and web master, but may require acquiring new certificates. It is all fairly standard technology.