"It is amazing how many banks have servers compromised to host phishing sites.

"It is now more common to attack a network in a bank because it is the last place someone would look. Phishers need to eliminate the number of e-mails sent out to reduce the noise and just focus on, say, 100 e-mails directed towards employees of a bank.

"I think banks will be passing the costs of losses to phishing scams onto the customer in the next two years."

Henry said banks are reluctant to refund losses if an account is hijacked.

For example, he said a Bank of America customer had a PC compromised with a Trojan losing US$90,000 from the account.