Bank/Customer Lawsuits Over Phishing Scams Rising

Over the past week there have been two instances of banks and customers suing over phishing attacks. In the first, Texas-based Hillary Machinery Inc, fell victim to a phishing attack and had over $800,000 stolen from their account. Their bank, PlainsCapital, was able to recover around $600,000, but when Hillary Machinery requested the bank refund the remaining $200,000, PlainsCapital slapped them with a lawsuit. The suit asks that the court certify their security procedures to be reasonable and that it processed the fraudulent ACH transfers in good faith. Hillary Machinery was stunned.

In the second case, a Michigan supply company is suing its bank, claiming it does not adequately protect its customers from phishing attacks. Experi-Metal Inc claims that Comerica Bank encouraged phishing attacks by sending customers an email asking them to click on a link to download an update to the bank’s security software. This is a well worn trick used by phishers and the company says by doing so it made customers more willing to trust fake emails claiming to be from Comerica. Experi-Metal lost over $500,000 to a phishing attack.

In response the bank said that it was the fault of the Experi-Metal employee who fell for the phishing scheme and handed over the company’s banking credentials. Furthermore they said, the phishing site would have been obviously fake “”to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.” Ouch. Basically they are insisting it’s not their fault that the employee was stupid enough to fall for the phishing email, but does Comerica hold some responsibility for its practice of sending out emails with links directing customers to download a security update? (The bank has switched to a different system. The employee apparently trusted that the phishing email was real because of the previous one) What do you think? When a phishing attack happens who should be held responsible, the victim or the bank?