A Global Crisis: What Companies Must Do to Avoid Legal Ramifications of Phishing Attacks


It wasn’t that long ago when phishing attacks were simply poorly worded messages urging you to click on a suspicious link.  

However, by 2024, things have changed.  

An increasingly digital and interconnected world has brought with it heightened cybersecurity concerns. New technology has enabled fraudulent activity, including phishing attacks, to occur with greater frequency, speed, and effectiveness. 

For instance, the Global State of Scams Report in 2023 found that over one in four individuals lost money to scams or identity theft last year — totaling a staggering $1.026 trillion in financial losses. For comparison, in 2021, this figure was $55.3 billion. 

Meanwhile, many organizations have been caught sleeping — either underestimating the threat or relying on traditional fraud detection systems that no longer cut it to effectively catch and takedown evolving threat types.  

In the coming years, in addition to damaging their reputations and potentially losing customers, businesses that fall behind will face even more severe consequences—legal action and hefty fines. 

Let’s look at how technology has enabled more advanced phishing techniques, the ramifications for organizations that aren’t proactive in dealing with fraud attacks, and outline a solution to avoid major fines and ensure compliance. 

Evolution of Phishing Attacks

Despite being one of the most well-known and easily identifiable fraud techniques, phishing remains highly prevalent. For instance, Cisco’s 2021 cybersecurity report said that phishing attacks made up more than 90% of all data breaches. Major organizations like Google, Facebook, and Sony have all fallen prey to such attacks. 

Modern technology has enabled more sophisticated phishing practices, with bad faith actors leveraging AI technologies to craft more targeted messages, machine learning to refine strategies, and deep fakes to appear more authentic. 

Organizations are left dealing with the damaging results of the new cyber attacks, including indirect costs related to: 

  • Rebuilding their brand following an attack  
  • Reestablishing trust among customers and stakeholders  
  • Developing future cybersecurity awareness programs 
  • The loss of productivity following a breach 

Businesses also face the wrath of multiple regulatory bodies that enforce strict data protection measures, including safeguarding against phishing threats. For instance, the European Union’s General Data Protection Regulation (GDPR) imposes a fine of up to Eur 20 million for companies that fail to properly protect customer PII data from cyber threats. 

In the U.S., regulations like HIPAA set measures to safeguard healthcare data, non-compliance with which results in significant fines, and legal penalties. 

Other independent regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), also call for implementing robust security mechanisms— such as a Domain-based Message Authentication or a Sender Policy Framework — to protect against phishing in the financial sector. 

Besides these regulations, organizations may also face civil lawsuits by customers whose data has been compromised following a phishing attack on an organization. 

The Growing Trend: Impending Fines and Legal Impact of Ignoring Phishing Protection

In recent years, governments around the world have recognized the severity of phishing attacks, and have begun implementing their own legal ramifications and fines for businesses that fail to put protective measures in place to prevent phishing attacks. This has put more pressure on organizations to implement robust scam control measures, and test out security solutions that offer phishing protection. 

Consider these two recent examples. 

Singapore’s new anti-phishing strategy & regulations

In October 2023, Singapore outlined a new framework that holds financial institutions and telcos accountable as the first line of defense in preventing phishing. 

Apart from assigning relevant duties to financial institutions and telcos to mitigate such scams, the new framework also outlines the monetary damages to be paid to affected victims should these duties be breached.  

The move was prompted by a massive phishing attack on nearly 800 OCBC bank customers in 2022, resulting in losses totaling $10.18 million. 

In its framework, the Singapore government observes that financial institutions are critical gatekeepers against the outflow of funds. At the same time, telcos play a supporting role as providers of SMS, which scammers use to communicate with victims. 

Under a proposed “waterfall approach,” banks will be expected to bear the full loss of such scams should they fail to establish phishing protection and data security measures, followed closely by telcos. 

Examples of such duty breaches include banks failing to send outgoing transaction notifications to customers or telcos not implementing appropriate scam filters. 

Customers aren’t completely let off the hook either. Customers who give credentials verbally to scammers will be expected to bear all losses. Furthermore, if the financial institutions and telcos have been found to have carried out their respective duties, they will not be held accountable.  

The new policy thus also emphasizes the need for heightened awareness among customers. As threats evolve, and organizations are held more responsible to be proactive against phishing attacks, customers are also required to be as proactive and aware as possible.  

Granting access to hackers through a phishing attack doesn’t just impact the one customer who let them through; it can have a damaging ripple effect throughout the business. 

New York Vs. CitiBank

Meanwhile, in the U.S., the the state of New York attorney general has sued CitiBank, the country’s third-largest bank, for its alleged failure to protect consumers. The bank, prosecutors say, misled consumers about their rights and about its security procedures. 

The lawsuit, filed in 2024,  asks Citi to provide a list of consumers who lost money in fraudulent wire transfers over the past six years, provide restitution and damages for those consumers, and pay a civil penalty of $5,000 for each time it was determined that Citi violated a New York law prohibiting deceptive commercial acts of practices.  

Overall, the complaint could result in CitiBank paying millions in civil penalties and restitution. The prosecutors said the bank lacked several robust security procedures, including heightened verification procedures for wire transfers tied to unusual activity, such as an account password change. 

The Importance of AI Security Solutions

Given this changing landscape, the pressure to implement anti-scam measures has never been higher. 

Fortunately, while technology has enabled more advanced scams, it has also offered more robust ways of protecting organizations and their customers. Employee training and awareness is, of course, a crucial aspect. But organizations can also solely rely on traditional fraud detection systems in their fight against phishing attacks, which is why most are turning to anti-phishing technology to fight attacks.  

This is where the power of AI security solutions comes in. At Bolster AI, we have created an industry-leading LLM platform that leverages advanced technology to automatically detect and take down phishing sites within minutes, without the need for human intervention.  

In the near future, such software will make up the cornerstone of an organization’s cybersecurity measures, protecting both internal teams and customers from sophisticated fraud, improving reputations, and reducing the risk of dealing with massive fines and legal ramifications. This software might become more and more of a requirement for businesses that must demonstrate active protection measures against phishing attacks. 

To learn more about how Bolster uses AI and trained LLM’s to detect phishing and scam sites and how you can benefit from our scalable and user-friendly platform, request a demo with our team today.