Galexia

Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

Q29 – Should an additional example be included in cl 5.6(e) specifically referring to the situation when an account user acts with extreme carelessness in responding to a deceptive phishing attack?

It may be that there are certain situations in which account users have acted with a degree of carelessness to a phishing attack that is considered ‘extreme’ such that liability should be imposed upon them for any resultant financial loss. However, the notion of ‘carelessness’ should be carefully demarcated with respect to phishing attacks for a number of reasons:

  • Firstly, it is important to remember that, although there is a range of authentication technologies available to end-users to assist with detecting phishing attacks, these are generally less effective than technologies that can be implemented by financial institutions.[27]
  • Secondly, financial institutions have been instrumental for some time in promoting the use of the online channel to their customers. Despite having the option of encouraging, or even compelling, customers to shift to the use of other channels for banking so as to avoid the problem of phishing attacks (including telephone or face-to-face banking), they have avoided doing so. In this regard it must be remembered that financial institutions reap significant benefit in the form of cost savings by encouraging their customers to perform banking transactions online.
  • Thirdly, if the financial services community does not know why consumers repeatedly respond to phishing attacks, then it is pointless and unfair to impose liability on them for responding more than once. If consumers genuinely think that they are taking appropriate action, and genuinely think they are responding to a message from their institution, then making them liable in those circumstances would just seem to have the effect of discouraging them from using Internet banking. Further research on why consumers respond to attacks would help design appropriate security defences, rather than simply shifting liability to consumers.

For these reasons, employing a broad definition of ‘carelessness’ in Clause 5.6(e) in order to impose a greater degree of liability on bank customers in relation to losses flowing from phishing attacks is unwarranted.


[27] This is discussed in more detail in the response to Question 30, Potential Responses to Phishing Attacks and other forms of Online Fraud at page 29.