Financial institutions may be liable for losses suffered as a result of bank phishing unless the customer acted with gross negligence or fraudulently
More and more cases are coming to AddVANTE’s litigation department in relation to computer-related crime. These cases are varied and, depending on the type of case, the victim has more or less recourse to seek compensation for the damage suffered. In this article we will focus on so-called “bank phishing” and the possibility of claiming against the bank responsible for providing the means of payment service.
An example of “bank phishing
By “bank phishing” we refer to those who have received SMS, e-mails or calls from someone pretending to be their trusted bank and sending them some kind of lure with the aim of obtaining their access data to digital banking or their means of payment. An example of such a lure could be someone who receives an SMS asking the user to update their account or confirm a payment. The SMS includes a link to a fake page that looks very similar to the bank’s official website, where the victim enters his or her personal data. Once the hacker has obtained the passwords and can access digital banking, they order transfers, take over card details or even contract new means of payment that allow them to empty the victim’s accounts at the bank.
what is the bank’s responsibility for the safekeeping of the money?
The chances of finding the perpetrator of the crime are often slim, as the perpetrator is often outside the national territory, or has used third parties to hide his identity. Today, the liability of the financial institution is delimited by Royal Decree Law 19/2018 of 23 November, on payment services and other urgent measures in financial matters.
This legislation regulates a quasi-subjective liability regime for providers of payment services. This type of liability means that the bank must respond and reimburse the customer for the amounts of the payment orders made and which were not authorised by the customer, unless, as a general rule, it can prove the serious fault or fraudulent behaviour of the user of the service. In addition, in the case of transactions where the bank failed to apply strong authentication controls when required by law, liability can only be excluded if it can prove that the customer acted fraudulently.
Similarly, the bank must bear the financial losses that occur after the customer informs the bank of the theft or misuse of the means of payment, unless, as before, it proves that the customer acted fraudulently. It is important to bear in mind that the burden of proof of such culpable or fraudulent behaviour that exonerates the institution lies with the financial institution itself. The financial institution usually relies on the user’s own statement acknowledging having provided his or her data or passwords to a fraudulent website or SMS to exonerate itself from liability due to the user’s gross negligence.
More and more frequently, we are finding court rulings that understand that, despite the user’s acknowledgement of having provided their data to a false website and not intentionally, but as a result of the error caused by the offender, the responsibility remains with the entity, as users are not required to know technical aspects such as distinguishing practically similar websites.
This line of judgments indicates that it is up to the bank to adopt advanced technological solutions to guarantee the security of digital banking.
what should I do if I have been a victim of bank phishing?
Despite the difficulty in locating the “hacker” and recovering the stolen money from him/her, it is advisable to file the corresponding complaint or criminal complaint and follow it up.
These actions, although unlikely to be successful in the short term, can uncover the existence of an organisation and put an end to the fraudulent practice. However, both in the complaint and in the communication of the incident to your institution, we recommend that you carefully assess how the information will be passed on, especially bearing in mind that institutions will hide behind any pretext to attribute a seriously negligent action to you in order to avoid responsibility.
Appropriate security measures should also be taken, such as changing passwords and checking that personal data have not been changed. If the same password is often used for different emails or systems, it is likely that these have been compromised, and it would be advisable to review the security of all devices and accounts. It is also advisable to file a complaint with the financial institution for any unauthorised withdrawals.
And if the entity does not reimburse the amounts, it is possible to file a complaint with the entity’s own customer complaint services, the entity’s Customer Ombudsman and, finally, to file a legal claim.
However, for the viability of these actions, it is vital to be very cautious with the information/declaration made, especially if it can be used by the institution itself to allege that the user has acknowledged negligent behaviour that exonerates the institution of its responsibility.
From the litigation department of AddVANTE we can provide, from the outset, the advice required by any person or company that has been a victim of “bank phishing”, offering you a comprehensive and coordinated response from the different legal and technological areas of the firm.