A complaint filed in December 2009 by a Michigan-based company alleges that its bank’s conduct caused the company to become the target and victim of a phishing attack.

Dallas-based Comerica is being sued by its customer, Experi-Metal Inc., who alleges that for a period of eight years, the bank sent emails to its customers instructing them to click on a link in the email to renew Comerica’s digital certificate.  In 2008, the bank changed its security methods entirely, switching instead to tokens that would generate a random set of numbers to be entered with the customer’s user name and password.  In 2009, however, a phishing email was sent to Experi-Metal claiming to be from Comerica that gave instructions to open a link in the email.  Upon clicking the link, the Experi-Metal employee logged on to what looked to be the Comerica website.  Instead, hackers made 47 wire transfers to the tune of almost $550,000.  The bank counters that a reasonably alert person would have caught on that the email was a phishing scam. 

To read more about the Experi-Metal Inc. vs. Comerica case, see this Bank Info Security article.

The moral of this story?  If you are a bank, consider implementing policies prohibiting your institution from sending your customers emails that request personal information.  If you are a bank customer, do not open emails that purport to be from your bank without first contacting your bank to confirm that the email you received is legitimate.