Living in London, I feel no need to own a car. You have to buy it, insure it, tax it, get it through the MoT, fill it up, find somewhere to park it, worry about it getting stolen or broken into, and then if you start driving it instead of cycling or walking, you get fat. Where's the win?

However, if I were to purchase one, say second-hand from Honest John's Quality Motors in AutoMart, before I handed over my hard-earned cash, I would want to know that Honest John was a good person to do business with. How could I go about establishing that? I could ask my friends if they'd had any dealings with him – the classic "Would you buy a used car from this man?"

I could see if he was a member of any reputable trade organisations. I could make sure that his premises actually existed and that he wasn't likely to disappear overnight.

One thing I wouldn't do, however, would be to just ask John himself.

"Er hi, I'm thinking of buying a car from you. Is this car any good? Are you trustworthy?"

"Of course, my son! Honest as the day is long, me. A real bargain, this one. One old lady owner, only drove it 500 yards to the shops once a week."

The foolishness of this approach seems obvious. But many people do the exact equivalent when they are deciding whether it's safe to interact with a website.

A recent study found that, when asked to assess the trustworthiness or otherwise of a number of different websites, around a quarter of participants based their decision solely on the contents of the page, ignoring any security-related indicators that the browser may be showing them. As the contents are under the complete control of the attacker, this is the equivalent of asking Honest John whether he's going to rip you off or not.

Phishing has moved beyond the amateur; like spam, it's now a billion-dollar-a-year black economy industry. Losses to banks in 2003 were $1.2 billion in the United States alone. And that sort of money buys a high degree of professionalism. Gone are the days of dodgy spelling and broken graphics; today's phishing e-mails and sites are pretty much indistinguishable from the real thing. So it's not surprising that, if Honest John's reply is so convincing, so many users are being had.

But it's not fair to blame the problem entirely on them. Although matters are improving, with the latest round of releases due in the summer, browser makers have been very remiss in not making changes to their products to give people more guidance. And I include the Mozilla organisation here. This article is not about giving us a pat on the back.

Many people, including the authors of the study mentioned above, have ideas about how the browser user interface can be improved. However, almost all of them increase complexity and cognitive burden. Given that security is ancillary to the task at hand (buying an 80th birthday present for Grandma, or paying the rent), adding extra steps or work is a road to nowhere. The key is to make doing the right, secure thing easier than doing the wrong thing.

How is that possible? One radical idea: imagine that your browser never told you what your passwords were. Instead, it generated them for you when you needed them, stored them securely, and conveniently logged you into each site automatically when you visited it. Now, you can't give your password to the wrong site because you don't know what it is.

Another: if a site is deemed suspicious, show the user a blank page while they are making a decision. Remove the phisher's ability to use lookalikes to confuse.

So yes, users need to stop taking Honest John's word for it and start using the tools available to protect themselves. But also browser makers need to put some serious effort into making security more convenient than insecurity. Otherwise, the losses are only going to increase.

Gervase Markham works for the Mozilla Foundation, a non-profit organisation dedicated to promoting choice and innovation on the internet. His blog is Hacking For Christ

Times Recommends

• C&G axed - 1,660 jobs to be lost
• UK house prices rise 1.1% as buyers return
• Mixed reaction to US banks repaying bailouts