Banks may stop compensating victims of phishing scams, warned consumer group Which?.

In its report into online phishing, Which? suggested that the patience of banks is running out.

“So far banks have refunded money lost by people who are tricked in this way, but several have suggested they may not in future," said Which?

Spokesman Mike Naylor said the consumer organisation reached its conclusion after discussions with banking group Apacs about the problem of phishing and how it affected consumers.

“Apacs hinted that the mood of banks suggests many will not compensate for phishing in the future,” he said.

Which? pointed to a case last year in which the Bank of Ireland had taken this stance, although it backtracked and finally agreed to refund victims of a phishing scam in which customers lost a total of €113,000 (£76,770).

When contacted by Computeractive, Apacs confirmed that in future, victims of phishing attacks may not be compensated by their bank.

“What it comes down to is that banks may choose not to refund a customer if he or she often falls victim to phishing,” said Simon Bennett, spokesman for APACS.

“Once is ok but twice is probably the cut off on refunds as [this can] be seen as negligence, especially if the victim has been advised by the bank.”

However, he said, the organisation had “not seen any moves by any other banks to do this.”

“We don’t know what banks are going to do in the future. At the moment many do refund for phishing but what happens in future remains to be seen," he said.

The report formed Which?'s submission to the bank review board, which is looking at proposals for changes to the banking code of practice.

The voluntary code of practice sets standards for good banking practice by banks and building societies in the UK. Which? said the lack of clarity about the protection from banks for victims of phishing attacks indicated a need to introduce clear guidelines in the code.

“The code needs to be updated because without guidelines it is difficult for customers to complain. The banks have a get-out clause at the moment and they make decisions about compensation on a case-by-case basis,” said Naylor.

Until then, he said, banks are legally able to change their policies regarding phishing as long as they inform their customers in their terms and conditions.

However, until any changes are made to the banking code, Which? Money Editor Martyn Hocking advised the public to protect themselves when banking online.

“If you receive an email that seems to be from your bank, don’t reply to it – give your bank a call instead,” he said.

Apacs reiterated the advice and pointed out that banks will not send their customers emails about their accounts. It also advised online bankers never to click on links in emails but to type the bank's address in the toolbar.