“Phishing” – are banks accountable?

APACs has recently said that UK banks can’t be expected to go on compensating the victims of “phishing” attacks. I’m astonished that they ever did in the first place! And it’s hardly surprising that, when there is no cost to stupidity, people go on falling for these frauds.

“Phishing” attacks follow a fairly standard pattern: spam e-mails, that look like they come from a bank (they use bank logos and internet addresses that include the bank’s name) ask the recipient to urgently log on and confirm their internet banking details. The reasons given for why you should do this are plausible but fraudulent. All banks say, in crystal clear terms on the home page for their internet banking sites, that they would never ask customers to ” confirm details” of their accounts across the internet. And this is just common sense: banks invest very substantially in their computer and information security systems and have to comply with stringent data protection and privacy legislation – they would never be in a position where you had to “re-confirm” your data to them.

These particular fraud has now had a lot of newspaper coverage as well. Surely we’ve reached the point where the banks should simply say: “if you fall for this fraud, please report it to the police. We will keep having fraudulent sites taken down as fast as you notify us of them, but we will not compensate you for your losses.” Would such a stance, combined with some newspaper headlines, not encourage internet bank users to be accountable for their own actions?