-
It's one of the main reasons banks will implement DMARC. In the cases of fraud via email where people believed the email was from the bank, the yardstick that determined whether the bank was responsible and should compensate was "what would the average person be reasonably expected to believe?". If it was a good phish, the bank had to pay out. I don't believe solicitors have as strict a responsibility. Although I do believe they still have to protect their clients so it is only a matter of time before DMARC becomes a requirement.
It's an interesting philosophical question - at what point does it become negligence to not deploy a means of stopping your clients from being defrauded?