Banks must repay the amounts defrauded by Phishing/strong>
Latest court rulings on Phishing: Condemns banking entities to repay the amounts defrauded
“pishshing” is becoming one of the most common forms of scam in recent times, and therefore it is important to know what the scams are defense instruments that individuals have to defend ourselves in the event of being victims and what is the responsibility of banking entities in the face of this new type of computer crime.
But, what do the judges say about the responsibility of these entities towards their clients? Are the banking entities responsible for compensating the funds stolen by the fraudsters? Can these entities demand the return of the amounts defrauded from those responsible for the crime?
These and other questions are beginning to be resolved by the Spanish courts in the increasingly numerous procedures processed by individuals affected by phishing against their banking entities under the Royal Decree-law 19/2018, of November 23, on payment services and other urgent measures in financial matters (hereinafter, Payment Services Law ), by virtue of which service providers are required to return to individuals the amount of unauthorized operations unless they expressly prove that “the user of the payment service committed fraud or gross negligence” (art. 44.3 Payment Services Law).
In this regard, the Courts and Tribunals are ruling in the sense of holding banking entities responsible for unauthorized payment executions, imposing on them the obligation to compensate customers for the damages suffered as a result of illegitimate access to its virtual banking users.
One of the most recent Judgments was handed down on January 25, 2022 by the Court of First Instance and Instruction No. 2 of Redondela (Pontevedra) -appealed without, to the this date, the Judgment in this regard has been handed down-, in which the entity BBVA is ordered to repay the injured party the amount defrauded through the technique of identity theft. The factual element determining the conviction of BBVA in this case was its inability to demonstrate that the fraudulent operation had been carried out from the customer’s usual IP address because, as stated in the Judgment, the bank must exercise a great level of diligence and care when the transaction occurs from an IP (numerical representation of the Internet point where a device is connected) that is not the one that usually corresponds to the client, since this This circumstance is a clear signal for the bank to set off alarm bells before accepting the bank transaction.
The Judge is based to issue his resolution on the literal diction of art. 44 of the Payment Services Law that imposes a legal reversal of the burden of proof, and it must be the bank that demonstrates “that the payment transaction was authenticated, accurately recorded and accounted for, and that it was not affected by a technical failure or other deficiency of the service provided by the payment service provider”. Likewise, the injured party provided the case with screenshots of the fraudulent messages received, proving that the page that requested the bank passwords was exactly the same as the official page of this bank, thereby denying any hint of negligence by the individual.
It May Interest You: “Smishing, computer scam by SMS”
The Hon. has pronounced in similar terms. Provincial Court of Pontevedra in its Judgment No. 539/2021, of December 21, 2021, revoking the Judgment handed down in the first instance and ordering ABANCA to reimburse the victim of a phishing crime for the amounts stolen because, according to what is stated, the bank could not have been able to prove compliance with the due diligence obligations both for the authentication of payment transactions and for having the necessary antiphishing technology to detect the cloned pages of the official ones own and close or delete them. Correlatively, the court appreciates that negligence cannot be attributed to the user who enters their access codes on a page identical to the official one of the bank, not even when the message contains small indicators of its fraudulent origin such as misspelling or lack of concretion of the authentic operation to which it supposedly refers, because according to the court rightly affirms:
“Phishing uses social engineering techniques to gain the trust of the user of the payment instrument and take advantage of cognitive biases in decision-making, which , in the case it would have materialized in the simulation of the shipment in the name of an entity trusted by the user (Post and Telegraph), and in the use of the confirmation bias by which information that confirms the opinions that tend to be favored already had or that is consistent with the facts already known.”
The Ilma. The Provincial Court of Madrid has also ruled in its Judgment No. 74/2022, of February 28, 2022, condemning BBVA under the Payment Services Law to return to a commercial company the amounts defrauded by way of what is known as “CEO fraud” which, as stated by the court, consists of a type of fraud that mixes social engineering and phishing techniques to get a worker or employee with access to the company’s bank keys (usually small and with a close relationship between employees) believe that your boss or superior has asked you to make a transfer, send money or make a payment of some kind or, where appropriate, that they have asked you for the company’s bank details. In this case, the Provincial Court affirms that, given the quasi-objective nature of the liability imposed by the Payment Services Law, only proof of “serious negligence” on the part of the payer may exonerate the bank from its obligation to repay the amounts disappointed.
It May Interest You: “Scams Digital: Bank’s Responsibility for Phishing”
María Olivares Sánchez
Commercial Law Department