Under Sec. 9 of the Electronic Financial Transaction Act of Korea (EFTA), ‘gross negligence’ of an individual user (as opposed to a commercial user) would provide a ground for full or partial immunity for financial institutions who would otherwise be strictly liable for loss caused by certain specified types of unauthorized fund transfers. The gross negligence under EFTA, however, is narrowly defined by the relevant ordinance so that court can find gross negligence only when the statutory “means of access” to one’s account is leaked or exposed. Account password, OTP, iTAN numbers are not included in the statutory definition of “means of access”. It would be wrong to find gross negligence on the ground that these passwords have been leaked or exposed by an individual who fell victim to phishing or pharming scheme. Supreme Court has maintained three different types of “gross negligence” reflecting different policy considerations. (1) In the case of gross negligence under Sec. 109 and Sec. 1019 of Civil Code, the court finds gross negligence when there is ‘manifest lack of attention’ and nothing more. (2) In the case of gross negligence under the Act Regarding Liability for Negligently Caused Fire and the State Compensation Act, the court would require more than manifest lack of attention. Gross negligence of a tortfeasor under these Acts will be found only when the carelessness is ‘close to deliberate knowledge’. (3) In the case of employer’s vicarious liability, the court would find victim’s gross negligence (which will bar the victim’s claim for compensation) when not only the carelessness of the victim is ‘close to deliberate knowledge’, but also ‘when there is a reasonable ground to conclude that, in fairness, the victim in question need not be protected’. Gross negligence of a victim of online fraud (under Sec. 9 of EFTA) should be determined in the same manner as the victim in employer’s vicarious liability cases. If the Court finds victim’s gross negligence on a low threshold and provides immunity for the banks relatively easily, then the banks would have little incentive to invest in better security standard to reduce the number of online fraud victims.