Phishing protection are not only at your application level but also by making your users aware of what a phishing is. Even top-noch banks are vulnerable to phishing attacks.
I would suggest you:
- Aware your users by adding a note on what is phishing within your application
- Implement a SSL Certificate to improve the protection on phishing https://www.liquidweb.com/blog/index.php/secure-your-website-ssl-certificates-with-phishing-protection/ (just one more measure, it doesn't guarantee to be bulletproof)
A mechanism i've seen in a few banks is :
- Make the user insert his username
- Show an image only know by him that user chose previously at registrarion.
- Make the user accept that he/she choose that image previously
- Make the user insert his password
This way if a user is a victim of a phishing attack, the attacker must know not just his username but also the image that the user choose.
Also in case the user doesn't exists you should set up a fake image so you prevent a user enumeration attack.