Posted on 03/31/2010 at 12:22 PM by Mary Zambreno
A complaint filed in December 2009 by a Michigan-based company alleges that its banks conduct caused the company to become the target and victim of a phishing attack. Dallas-based Comerica is being sued by its customer, Experi-Metal Inc., who alleges that for a period of eight years, the bank sent emails to its customers instructing them to click on a link in the email to renew Comericas digital certificate. In 2008, the bank changed its security methods entirely, switching instead to tokens that would generate a random set of numbers to be entered with the customers user name and password. In 2009, however, a phishing email was sent to Experi-Metal claiming to be from Comerica that gave instructions to open a link in the email. Upon clicking the link, the Experi-Metal employee logged on to what looked to be the Comerica website. Instead, hackers made 47 wire transfers to the tune of almost $550,000. The bank counters that a reasonably alert person would have caught on that the email was a phishing scam. To read more about the Experi-Metal Inc. vs. Comerica case, see this Bank Info Security article. The moral of this story? If you are a bank, consider implementing policies prohibiting your institution from sending your customers emails that request personal information. If you are a bank customer, do not open emails that purport to be from your bank without first contacting your bank to confirm that the email you received is legitimate.