Research On Ai-Assisted Phishing Campaigns Targeting Financial Institutions
1. Experi-Metal, Inc. v. Comerica Bank (2011, E.D. Mich.)
Facts:
Experi-Metal, a commercial company, used Comerica Bank’s online wire transfer system.
An employee received a phishing email disguised as a “Comerica Business Connect Customer Form” and entered login credentials on a fake site.
Attackers used these credentials to initiate 93 fraudulent transfers totaling around $1.9 million to overseas accounts.
The bank became aware of the fraud several hours later. About $561,399 was unrecovered.
Legal Issues:
Did Comerica follow “commercially reasonable security procedures” under UCC Article 4A?
Did the bank act in “good faith” when accepting the transfer orders despite obvious red flags (e.g., unusual large transfers, overdraft)?
Holding:
The bank’s security procedures themselves were commercially reasonable.
However, the court found the bank did not act in good faith, because it failed to investigate abnormal transactions promptly.
The bank was liable for the unrecovered loss of $561,399.
Importance:
Shows that having security procedures is not enough; banks must also act in good faith when unusual transactions occur.
Sets precedent for liability in phishing-based wire fraud.
2. Studco Building Systems, LLC v. 1st Advantage Federal Credit Union (2023, Virginia)
Facts:
Studco was instructed by its vendor (Olympic Steel) to make payments to a bank account.
Hackers intercepted the vendor email and sent a spoofed email with fake bank details.
Studco transferred $558,868.71 to the fraudulent account at 1st Advantage Federal Credit Union.
The credit union’s alert system flagged mismatches between the account name and number but still processed the transfers.
Legal Issues:
Under UCC §4A-207, is the receiving bank liable when it accepts funds with a mismatch between the beneficiary name and account number, especially if it has “actual knowledge” of the mismatch?
Holding:
The court found that the bank had actual knowledge of the mismatch due to the alerts.
The bank was held liable for the full amount of the transferred funds.
Importance:
Highlights that beneficiary banks can be liable if they ignore red flags like name/account mismatches.
Emphasizes that automated alerts must trigger investigation and action.
3. Citibank N.A. / New York Attorney General Lawsuit (2024‑2025)
Facts:
The New York AG sued Citibank alleging failure to protect customers from phishing and other online scams.
Example: A customer lost $40,000 after clicking a phishing email that appeared to be from Citibank.
Citibank argued the loss was the customer’s fault and that it had reasonable security procedures in place.
Legal Issues:
Whether the bank had a duty under consumer protection laws (such as the Electronic Fund Transfer Act) to reimburse phishing losses.
Whether reasonable procedures are sufficient if phishing attacks succeed.
Holding:
The court refused to dismiss the suit, allowing the case to proceed.
Citibank may be liable if its controls were insufficient, even with established security procedures.
Importance:
Shows regulators increasingly hold banks accountable for phishing losses, even where procedures exist.
Demonstrates evolving legal expectations in the era of sophisticated phishing (including AI-assisted attacks).
4. Fourth Circuit Case on Beneficiary Bank Liability (2025)
Facts:
A company fell victim to a business email compromise (BEC), sending funds to a fraudulent account.
The case reached the Fourth Circuit on appeal regarding the liability of the beneficiary bank.
Legal Issues:
Does a receiving bank have liability under UCC §4A-207 if it did not have “actual knowledge” of a mis-description (mismatch between account name and number)?
Holding:
The court ruled that without actual knowledge, the receiving bank is not liable.
The evidentiary burden lies on the plaintiff to show that the bank knew about the fraud.
Importance:
Clarifies that beneficiary banks are only liable if they have actual knowledge of suspicious transactions.
Establishes a key distinction between willful ignorance and procedural compliance.
5. Deepfake Voice/Video Fraud Example (Arup, 2024)
Facts:
A global engineering firm (Arup) was targeted by a deepfake video call impersonating the CFO.
The attacker instructed the finance team to make a $25 million transfer.
Although this case was not fully litigated, it shows the potential for AI-driven phishing.
Legal Issues:
Raises questions about internal controls and bank verification procedures for transfers authorized via video or voice calls.
Outcome:
The loss highlighted the vulnerability of standard approval processes to AI-assisted impersonation.
Importance:
Shows the increasing sophistication of phishing, including AI-assisted attacks.
Suggests that banks and corporates must implement multi-factor verification and out-of-band confirmations for high-value transfers.
Key Takeaways from These Cases
Good faith matters: Banks may be liable even if procedures are reasonable, if they fail to act on red flags (Experi-Metal).
Beneficiary bank duty: Receiving banks must investigate obvious mismatches; ignoring alerts can trigger liability (Studco).
Regulatory pressure is growing: Banks may face lawsuits or enforcement actions if phishing losses occur (Citibank AG case).
Knowledge vs. negligence: Liability often hinges on whether the bank had “actual knowledge” of fraud (Fourth Circuit case).
AI-driven phishing is real: Deepfake and AI-assisted attacks show that traditional verification processes may be insufficient.
RELATED Blog
comments