You need to protect yourself against SQL Injection attacks. If you are worried about someone brute forcing a password, setup a method within the database so that when a user types in a password wrong a counter is ticked. When the values of the counter reaches a number you decide (5, 10, etc) the account is disabled until the person contacts the Customer Service / Help Desk department.
Phishing there isn’t anything you can do about as that is when someone puts up a page that looks like yours on another web site and tries to get people to go to that site. The only defense here is customer education.
Other things to think about are firewalls, DDoS protection, etc.