Phishing for answers: Customer claims bank to blame for fraud scheme

A complaint filed in December 2009 by a Michigan-based company alleges that its bank's conduct caused the company to become the target and victim of a phishing attack. Dallas-based Comerica is being sued by its customer, Experi-Metal Inc., who alleges that for a period of eight years, the bank sent emails to its customers instructing them to click on a link in the email to renew Comerica's digital certificate. 

In 2008, the bank changed its security methods entirely, switching instead to tokens that would generate a random set of numbers to be entered with the customer's user name and password.  In 2009, however, a phishing email was sent to Experi-Metal claiming to be from Comerica that gave instructions to open a link in the email.  Upon clicking the link, the Experi-Metal employee logged on to what looked to be the Comerica website.  Instead, hackers made 47 wire transfers to the tune of almost $550,000. 

The bank counters that a reasonably alert person would have caught on that the email was a phishing scam.  To read more about the Experi-Metal Inc. vs. Comerica case, see this Bank Info Security article. The moral of this story?  If you are a bank, consider implementing policies prohibiting your institution from sending your customers emails that request personal information.  If you are a bank customer, do not open emails that purport to be from your bank without first contacting your bank to confirm that the email you received is legitimate.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.