Associated Banc-Corp was understandably upset when Earthlink Inc. told its users that the Green Bay, Wis., banking company’s Web site was a scam, perpetrated by phishers hoping to steal personal information.
In May, Associated filed a lawsuit claiming that it lost business during the two-day period, April 12-13, when Earthlink blocked people from accessing the site. But this month a judge dismissed the suit and ruled that Associated cannot blame the Atlanta Internet service provider for what it calls an honest mistake.
An Earthlink toolbar that people can add to their Web browser uses a phishing-site list provided by outside vendors to prevent people from accidentally visiting scam sites. In this case, Earthlink said, a vendor accidentally put Associated Bank’s site on the list.
Judge John Shabaz of the U.S. District Court for the Western District of Wisconsin ruled Sept. 13 that Earthlink was not responsible for the vendor’s mistake. In a response to Earthlink’s motion for summary judgment, the judge wrote that, “because the evidence indicates the information came from another provider, Defendant cannot be held liable.”
Peter Cassidy, the secretary general of the Anti-Phishing Working Group, a trade group that examines and archives phishing e-mails, said that incidents like this could become more common, because the process of creating lists of bad sites is not automated. There is “a lot of human intervention,” and the possibility for human error.
As phishing becomes a larger threat, and financial services companies and vendors take more aggressive measures to counter it, Mr. Cassidy said, this type of error could easily be repeated, since so many companies are involved in spotting, evaluating, and blocking potentially fraudulent sites.
Ariana-Michele Moore, an analyst at Celent Communications LLC in Boston, said other filtering software applications are likely blocking bank’s e-mail. For example, many anti-spam products that block commercial e-mail messages are probably blocking some banks’ messages to consumers, as well.
“Where do you draw the line?” she asked. “This seems to me like an unfortunate byproduct of how we need to operate today.”
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said, “There’s nothing worse than blacklisting the wrong site.”
Earthlink would not say which vendor made the error, nor would it say how many vendors it uses to compile the phishing-site list. Carla Shaw, an Earthlink spokeswoman, said that she was not aware of any other cases in which her company blocked a legitimate site, and that Associated Bank’s was removed from its list of bad sites within 20 minutes after Earthlink was notified of the error.
“We’re sorry for any inconvenience Associated Bank may have experienced, but phisher sites are dangerous Web sites that prey on consumers. It’s our responsibility to take every step possible to protect consumers, and we’re proud that we do so,” Ms. Shaw said.
Jonathan Drayna, the vice president of investor relations and corporate communications for Associated Bank, would not answer any questions. Though the ruling appears to leave the door open for Associated Bank to sue the vendor that allegedly made the mistake, he would not say whether his company plans to do so, or even if he knows which vendor was involved.
eBay Inc. of San Jose, Cyota Inc. of New York, and Digital Envoy Inc. of Norcross, Ga., have said in the past that they provide information to Earthlink on potential phishing sites. Ms. Shaw said she did not know if Earthlink was working with Cyota or Digital Envoy before the two vendors announced their relationships with Earthlink over the summer.
A Cyota spokesman wrote in an e-mail, “Cyota was not involved in this incident.” Digital Envoy did not return calls.
Amanda Pires, a spokeswoman for eBay would not say whether eBay or its payment subsidiary, PayPal Inc., had any role in flagging the Associated Bank site as a phisher.
eBay and PayPal offer their own toolbar application to block fake eBay and PayPal sites, and they shares their data with Earthlink.
The Associated Bank incident may have been prompted by a phishing attempt in April.
According to the Anti-Phishing Working Group, one message that was bouncing around the Internet when Earthlink blocked the bank’s site claimed to be from Associated Bank. The organization posted a copy of the message on its site April 14.
The e-mail did not use the bank’s real Web address, associatedbank.com, or even a similar domain name. Instead, it directed consumers to an Internet address composed mostly of numbers.
Ms. Litan said that for a bank, “it’s obviously a terrible thing to be down for a day,” but in this case Earthlink might have helped protect Associated’s customers.
Many phishing sites distribute viruses that can silently monitor everything a victim types, including online banking passwords, she said. If customers are blocked from visiting the real site, the virus would not have a chance to steal their passwords.
For that reason, “it’s probably better to have your site … [blocked] during a phishing attack,” she said.
