Smishing, computer scam by SMS

The crisis situation caused by COVID-19, together with the increasing digitization of services, has caused an increase in purchases and services contracted by computer means. This has consequently caused a significant increase in the commission of computer fraud crimes (“phishing”), especially highlighting the new modality known as “smishing”, consisting of the computer artifice by which a third party defrauds by text message (SMS). ) or email.

What is smishing

Smishing is a computer scam, as defined by jurisprudence, which is a a type of phishing consisting of the massive sending of emails or SMS to individuals and companies in which a third, posing as a legitimate entity (eg social network, bank, public institution, etc.) provides a fraudulent link by message through which the user is redirected to a false web page where they are required to enter data files, download a malicious file or make a bank transfer.

The problem arises when the user, trusting the official status of the web page to which he is redirected, provides his bank details in order to process a payment that is pending or, following the indications of the fraudulent link, installs a mobile application with which the third-party scammer (smisher) obtains remote control of the device, so that said scammer ends up obtaining the bank details with which to steal the patrimonial asset of the user.

Read: “Digital scams: Paying invoices to the fraudster who pretends to be a real supplier”

Responsibility of the bank against the “smishing” scam

Computer fraud in all its forms is expressly penalized in article 248.2 of the Criminal Code and as described by the Provincial Court of Madrid (sec. 1) in its Judgment of June 2, 2020 (rec. 431/2020), usually develops in three phases:

“a first, of discovery of the keys and passwords by any of the aforementioned methods; a second, access to accounts and carrying out transfers of assets; and a third, which is the one that is of interest within this procedure, which consists of the effective seizure of the assets and the development of a system that prevents their location. This last procedure normally consists of sending the assets abroad, frequently to Eastern European countries, through postal delivery systems such as Western Union or Money Gram which, because they operate with alphanumeric codes, make it very difficult to track the money.

However, the criminal order is not the only possible way to recover the amounts that have been unlawfully taken since the recent Royal Decree-Law 19/2018, of November 23 , of payment services and other urgent measures in financial matters (hereinafter, RDL 19/2018), which repealed the Payment Services Law of 2009, establishes in its article 45 the possibility of claiming the bank that authorized the operation the illegally stolen amounts. To do this, the following requirements must be met:

1. The lack of consent of the victim regarding payment operations and, if they have given it, there must have been deception or manipulation.
2. The lack of gross negligence or fraud on the part of the affected party. In addition, if the bank suspects that there is fraudulent intent on the part of the affected party, it must notify the Banco de España in writing.
3. Prior notification to the bank by the affected party of unauthorized or incorrectly executed operations within a period of three months from the date they were carried out.

Likewise, the aforementioned RDL 19/2018 does not make distinctions regarding the responsibility of banks in the face of the different types of computer fraud, and it can therefore be understood that the above requirements are equally applicable to the “smishing” type of scam.

It May Interest You: “Scams Digital: Bank’s Responsibility for Phishing”

Current jurisprudence in cases of “smishing”

Despite the topicality of the matter, there are already rulings that speak of the responsibility of banking entities when the deception comes from links provided by email or SMS. Among others, it is worth mentioning the Judgment of the Provincial Court of Ciudad Real, of May 20, 2021 (no. rec. 528/2019), which establishes that the bank must use greater care when the transfer order has its origin in a link obtained via email or fax given the inherent risk that these forms of communication entail, and the bank must verify the veracity of said order, especially if it is about very high amounts, unusual operations in the user or requests made from abroad.

It is also worth mentioning the recent Judgment no. 289/2021 of the Provincial Court of Seville, of July 30, 2021 (no. rec. 8540/2019), in In the same terms indicated above, the bank has been sentenced to return part of the illegally stolen funds and this because it considers that it has a reinforced duty of diligence, enforceable from an “expert commercial”, and it cannot be considered as negligence or fault having fallen into the fraud of an apparently true email or web page.

Conclusions

The Spanish Courts and Tribunals are considering that banking entities have a quasi-objective responsibility in relation to the execution of unauthorized payment orders, being sentenced to return the amounts object of the computer scam whatever its modality. Of course, the affected party must not have mediated gross negligence or fraudulent intent, in any case having the bank to prove the malpractice of the alleged scammed party.

Nerea Ortiz de Zárate Beitia
Commercial Law Department

02/17/2022