Bank phishing, the new digital scam.
Phishing is defined as the computerised modality of the crime of fraud which bases its typical conduct on the active subject obtaining a series of data, passwords, bank accounts, identities, bank cards, etc. provided erroneously by the passive subject and then used fraudulently with the aim of obtaining economic benefit to the detriment of the holder of such data, accounts and bank cards.
There are several types of phishing, but they are all aimed at getting the user to click on a link or download a malicious file. To achieve this, these are some of the formulas most frequently used by hackers in their messages:
There has been unusual activity on your account.
- Check your payment details.
- Confirm your bank/personal details.
- We will send you your latest invoice.
- Finalise your purchase by clicking on the following link.
- I’m your branch advisor!
Given the difficulty of finding the cybercriminal, as they hide behind very sophisticated techniques that keep them anonymous, many victims of phishing do not take the step of reporting it. However, it is essential to do so in order to be able to claim against the bank that may have allowed the transaction to take place.
Let us not forget that banks are obliged to safeguard the money in their customers’ accounts. Therefore, provided certain conditions are met, it is the bank that is liable for the attack. In fact, the only way for the bank to avoid its responsibility is to prove that there has been gross negligence on the part of the customer. In other words, the fraud was caused by the customer’s blatant carelessness and not by the poor security of the bank’s systems.
Thus, in Spain, the rights and obligations (responsibilities) of providers and users in relation to payment services are set out in Royal Decree-Law 19/2018, of 23 November, on payment services and other urgent financial measures (hereinafter RDL 19/2018). The main purpose of this RDL, and this shows the legislator’s real intention, is that users should be duly protected against the risks inherent to digital means of payment.
In our opinion, it has established quasi-subjective or risk liability for banks (Art. 45 RDL 19/2018). And this is because the only defence for the bank to avoid the obligation to return the amounts stolen is that the user has acted fraudulently or by having breached, deliberately or through gross negligence, one or more of the obligations established in article 41 of RDL 19/2018 (Art. 46 RDL 19/2018), i.e. that he has breached the obligation to safeguard the personal passwords with ‘all reasonable measures’.
However, although current case law is not uniform, the vast majority of Courts are inclined to exclude the user’s negligence, because phishing and its current degree of sophistication and professionalism used by criminals makes the deception very difficult for the user to detect. In other words, the deception suffered enough by the user excludes gross negligence and shifts the strict liability to the payment provider. Furthermore, the Bank bears the burden of proving that there was gross negligence on the part of the user (Art. 31 RDL 19/2018).
At M5Legal, our phishing experts are committed to providing you with the support you need to deal with difficult situations. Don’t let a phishing scam jeopardise your rights and financial well-being. Contact us now and trust our phishing lawyers for the best legal representation.