Recently one of our Local Bank suffered phising issues. This incident forced them to completely shutdown their online transactions. They forced every single user account's transaction password to be reset before the expiry time. This bank has a policy of 90 days password expiry and blocking re-use of last 3 passwords.

However, the phising website collected both the login password and transaction password.

You may see some screen shots at (in Nepali Language):

My question is - we as small and medium sized website developers, how can we implement some securities against such activities who try to clone the look and feel of the valid website, trap the login details and attack the main accounts?