Phishing could be stopped very quickly if banks were made responsible for the losses incurred, according to security guru Bruce Schneier.

Writing in his Crypto-gram newsletter Schneier noted that, while new anti-phishing laws might have some effect, the problem will not be resolved until the financial institutions take responsibility for fraud, thus giving them an incentive to stop it.

"Push all of the responsibility for identity theft onto the financial institutions, and phishing will go away," said Schneier.

"This fraud will go away not because people will suddenly get smart and quit responding to phishing emails, or because California has new criminal penalties for phishing, or because ISPs will recognise and delete the emails.

"It will go away because the information a criminal can get from a phishing attack will not be enough to commit fraud because the companies won't stand for all those losses."

Schneier maintains that one of the fundamental rules of security is that " the entity that is in the best position to mitigate the risk is responsible for that risk".

While he accepts that many financial organisations already pay for phishing losses directly, this ignores the indirect costs. Damage to credit ratings and time spent opening new bank accounts are all handled by the consumer.

In the past banks have been accused of complacency about the phishing problem, even though it costs billions each year.