When you consider all the technological updates in the banking world — and the subsequent scamming — it’s no wonder McAfee published an online banking safety guide to educate unprotected consumers. But a recent resolution to a lawsuit concerning a phishing scam begs one to ask, who is actually accountable for the customer’s banking information?
In January of 2009, Comerica Bank customers were targeted by a phishing scam in which customers were lured via email to divulge sensitive account information. Although banks and security resources everywhere tell you never to respond to an email from your bank, rather to go to the website or contact them if you’re unsure, the scammers lucked out.
Details of the case
An employee at a Michigan-based metal supply company called Experi-Metal Inc., under the impression that the email came from Comerica, responded with the company’s personal information. Over the next few hours, the funds at EMI were ravaged, as the scammers sent out 93 wire transfers worth over $1.9 million; all told Comerica could not recover $561,399 of the fraudulent transfers, and the money disappeared across the world into some bank accounts in Russia and Estonia.
A few months later EMI sued Comerica for the money they couldn’t recover.
Since this case is one of the first published decisions on the topic, it will largely set the legal standards for which party is responsible for money lost over a successful phishing scam. The details of the case are a bit long-winded, but the judge ended up ruling in favor of EMI against Comerica explaining essentially that the bank did not have the proper security in place according to “industry standards.” The resolution stated that “a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”
The bank had to pay out and that means that banks are responsible for enhancing their monitoring activities in order to avoid taking losses for fraudulent wire transfers. (Interestingly, if you call up Comerica Bank today and wait on hold for a customer service rep, you’ll hear about their new and enhanced security methods.)
The cost for an everyday bank customer
However, how would a high-profile case like this involving big companies and costly legal fees apply to me if phishers got into my $26,000 savings account, which took me seven years to accumulate? (Numbers are fake; it would feel depressing on any scale.) The money would be long gone if I didn’t freeze my account right away (like the employee at EMI, but even then who knows?), and furthermore if I had given over my social, my credit would soon be destroyed.
Read: How to Protect Yourself From Email Phishing
I don’t know how I would have dealt, but I do know that I wouldn’t have tried to sue Comerica myself. Even if I won, the legal fees would eat up most of the savings anyway.
Phishing scams have been creeping up all over the internet in various forms, and these techniques have worked as proven by the Comerica case. This caused leading security software developer McAfee to create a guide about banking safely on computers, tablets and mobile devices.
McAfee guide shifts responsibility
The impetus to create this guide was largely a result of a 2010 study performed by a Javelin Strategy & Research, which showed that 47 percent of people did not have antivirus software installed. Unfortunately, at the time I wrote this column, the link to the guide was broken and the McAfee PR contact did not answer the phone.
However, the press release from Wednesday provided a lot of details about the guide. McAfee essentially divided up online bankers into three categories and provided tips for each. In the conclusion the release states, “McAfee is redoubling its efforts to offer consumers the very best practical information on online banking safety, whether they are banking from their computer or mobile devices.”
While they only briefly mention email phishing scams and focus more on selling their security software, from here it would seem that the burden of responsibility is on the customer. McAfee seems to believe it’s up to the customer to protect his information, not the bank. If I have to protect my computer from malware by paying for and installing software, shouldn’t I also be responsible for not sending over my information to malevolent third parties?
It all comes down to…
Phishing scams frustrate users every day and sometimes cause devastating financial damage. Both banks and their customers have to monitor online finances at all times to ensure that these scams disappear. But as is always the case, new ones will arise, with a new set of issues.
The pleading from McAfee coupled with the results of the Comerica case begs the question, What’s considered “reasonable” security, not just for the bank but for either side? Who really owns the customer’s banking information?