Who should bear the cost of phishing losses: the bank or the customer? That question is at the heart of a recent dispute between the Bank of Ireland and a group of customers that fell victim to a phishing scam that drained 160,000 Euros ($202,000) from their accounts. The bank initially refused to cover the losses, but has since changed its mind and credited the accounts of nine victims, who had threatened to sue to recover their funds.
The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to profilerate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases.
The issue of responsibility has been most prominent in the UK. In late 2004, the UK trade association for banks, known as APACs, began warning that financial institutions may stop covering losses from customers who have ignored safety warnings. That stance is reflected in the group's statement on customer protection.
"Banks are committed to keeping their customers' money safe and will protect customers from Internet fraud as long as they have acted with reasonable care," APACS says on its Bank Safe Online web site. "Customers must also take sensible precautions however so that they are not vulnerable to the criminal. Each case of Internet fraud is different and you can be sure that the bank will make a full investigation in the unlikely event that money is withdrawn from your account"
The American Banking Association, the industry group for the U.S. banking industry, is more definitive in its reassurance to customers on phishing losses. "Consumers are protected against losses," the ABA says on its web site. "When a customer reports an unauthorized transaction, the bank will cover the loss and take measures to protect your account."
But there have been exceptions. Last year Miami business owner Joe Lopez sued Bank of America after it refused to cover $90,000 in phishing losses. Lopez' computer was infected by a keylogging trojan, which captured his login details. His funds were soon transferred to a bank in Latvia. When Bank of America refused to cover the loss, Lopez sued for negligence, saying the bank failed to warn him about the trojan.
Where will the line be drawn between the bank's responsibility and the customer's? The handful of existing cases leave the issue unsettled, but suggest that the quality of the banks' phishing defenses will be a key point in the debate, and that in practice banks will not be able to pass on the financial risk of phishing to its customers simply through careful writing of the customer agreement, as the customer has no direct influence over the anti-phishing measures the bank takes.