Posted November 30, 2009
The teaser appearing in the bottom corner of the New York Times print edition’s Sunday Business section looked promising: Phish foil. Digital Domain. The article’s title, Don’t Take This Bait (But You’re Safe If You Do), suggested there would be more coverage of phishing, a generic name for attempts by online criminals to gain internet users’ login credentials to online banking services by presenting them with fake login pages. Unfortunately, while Stross’ article did indeed discuss phishing and offered some tools internet users can use to keep their bank accounts safe online, the article’s main message completely misses the mark.
The article begins relaying a close encounter that FBI Director Robert S. Mueller III had with a phishing attack. Although Mueller reportedly did not fall victim to the attack, Mueller emphasizes the lengths criminals go to gain access to one’s bank funds through email-based phishing attacks. Unfortunately, the crux of the article boils down to this:
I’m not convinced, however, that online banking carries the high risk that Mr. Mueller implies. I know that as ordinary computer users, we are offered unlimited bait from phishers. But I’m not particularly worried: I’m not on the hook for losses from fraud — my bank is.
The article concludes emphasizing that banking customers need not worry about falling victim to phishing attacks because virtually all financial institutions offer full remuneration in cases where unauthorized individuals access and remove funds from an online account.
At a very narrow and superficial level this premise is true and provides some comfort to victims of an attack. However, the reality of this situation is that every time a phishing attack succeeds, it has very negative side effects for all who use online banking. Yes, the bank whose user fell prey to the phishing attack is on the hook for the stolen funds, but we have learned all too well in the past eighteen months that even the largest financial institutions do not have infinite resources. Banks do not simply create money to compensate the victims of phishing attacks – those reimbursements come from insurance policies or income the bank generates from fees levied on its customers. When the banks’ insurance premiums increase or overall costs rise – as they do when their customers get phished – the increases are passed onto consumers.
Further, many victims of successful phishing attacks who have had their money stolen probably would not agree that there is “zero liability” to online banking. The time lost while reporting the attack to their banking institutions is time without access to funds they count on to be there. While banks make an effort to minimize the time phishing victims go without their funds, the process is not immediate and the customers may be left without money needed for critical expenses like food and housing.
The New York Times is to be commended for raising general awareness about the dangers of phishing attacks . But minimizing the impact of phishing is a dangerous message that only helps online criminals.