Following a recent increase in phishing attacks, we discussed the most commonly used phishing techniques. This article assesses the legal position concerning phishing. Is the bank or the customer liable for the loss caused by a phishing attack?
Liability for phishing attacks
Legally speaking, when a bank processes a money transfer at the request of a customer, it does so out of its own assets. Under §§ 675c(1), 670 German Civil Code (Bürgerliches Gesetzbuch, BGB), the bank acquires a right to the reimbursement of expenditure, which it can exercise against its customer.
However, if an account holder does not actually transfer money, the bank lacks authority to conduct the transaction. This means that the account holder is entitled to refuse authorisation to the transaction and the bank loses its right to the reimbursement of expenditure (see § 684(2) BGB). Under rules introduced by the law Payment Services Directive 2007, payment service providers have no right to reimbursement of expenditure for transactions which have not been authorised by a payment service customer (§ 675u BGB).
If, despite lack of authorisation, the money has already been debited from the customer’s account, the customer is entitled to a reimbursement (§ 812(1) first sentence, second alternative). The bank cannot rely on any primary rights contained in the contract between it and its customer.
Compensation for breach of duty of care
The bank could, however, rely on secondary rights arising out of a breach of duty of care.
Usually, Torjans, or malicious software, used to perpetrate phishing and pharming attacks are not directed at a bank’s IT system but at the usually less well protected private computer of each customer. For this reason banks normally require their customers to exercise at least a minimum level of care to protect their computers and prevent attacks.
If a customer fails to fulfil this duty of care, the bank may be able to claim compensation in order to receive reimbursement of the expenditure.
Duty of care
Online banking customers are under a duty of care to protect their computers through a number of measures including updating anti-virus software and other security-relevant software, and keeping their operating system and web browser updated.
In their terms and conditions, many banks also require customers to keep authentication data (PIN and TAN numbers) secret and to not divulge them to third parties. Customers breach this duty if they pass on such data to fraudsters, even if they are under the mistaken impression that they are communicating with their bank.
In a judgment from 24 April 2004, Germany’s Federal Court of Justice ruled that a banking customer who entered 10 TAN numbers on a fake website had acted negligently and breached his duty of care.
The BGH noted that customers only act negligently if they fail to observe the relevant level of care; that is to say if they can reasonably have been expected to avoid the mistake.
Fake websites are difficult to recognise
The case above shows that it may well have been reasonable to expect the banking customer to have avoided entering 10 TAN numbers on a fake website.
Nevertheless, it used to be easier to recognise fake websites and fraudulent e-mails as they often contained design errors and spelling and grammar mistakes. Nowadays fake websites are as near as perfect.
The traditional method of double checking the web address to see if it contains an extra “s” denoting that the website is secure (as in “https://”), is no longer considered sufficient to protect against Trojan attacks. Instead internet users should also check the website’s security certificate.
It is therefore comforting to note that the current predominant legal view, held by experts and the BGH, is that it is unreasonable to expect banking customers to have the technical know-how to double check a website’s security certificate.
Customers should recognise suspicious activity
The liability for loss resulting from phishing can also move to customers when they fail to fulfil their duty to recognise suspicious activity.
Where traditional phishing e-mails are concerned, the customers should recognise suspicious activity and they should be aware that their bank will never contact them by e-mail and require them to enter highly sensitive personal data. Banks will especially not contact customers to require them to enter their details 10 times.
Here, the industry is unanimous in its view that it is reasonable to expect banking customers to recognise and interpret such suspicious activity and not to click on links contained in phishing e-mails.
If customers do follow the instructions in such e-mails, they are liable for the breach of their duty of care.
If it can be clearly proven that a customer breached their duty of care, the bank is entitled to claim compensation.
What’s more, if a court finds the customer grossly negligent, the bank is entitled to fully offset its claim for compensation against the customer’s claim for the amount to be re-credited.
The result is often less than satisfactory for the banking customers, who often go away empty handed.
Social engineering Trojans
The law differentiates between those cases where Trojans are used to obtain TAN or PIN numbers through fake e-mails and so-called social engineering Trojans. Under the latter, it is questionable whether banks can be held liable for fraudulent transactions.
Social engineering Trojans aim to influence interpersonal communication and encourage the target person to undertake an activity.
In a previous article we discussed a case in which an online banking customer was informed on the bank’s platform via a fake e-mail that an incorrect transaction had taken place and that his account had been frozen until he transferred the corresponding amount back to the “rightful” owner.
The man was convinced by the official-looking properly-written e-mail, which purportedly originated from the bank, and completed the reverse transfer.
No right to reimbursement
In this case, technically speaking, the customer did indeed knowingly and intentionally authorise the transaction. From a legal point of view, it can be disputed whether the customer really acted with intention.
If a court were to rule that the transfer was authorised, the customer would be unable to rely on the argument that the bank undertook an unauthorised transaction and would be unable to refuse consent (see § 675u BGB).
This means that the bank’s right to reimbursement of expenditure would still apply. Any money debited from the customer’s account could not be reclaimed, as the bank would have acted with authorisation and under a sound legal basis.
Can the customer challenge the transfer?
Whether a customer can challenge the fraudulent transfer of money is questionable.
One could consider that the customer bring an action for intentional deception under § 123 BGB. Here the customer’s authorisation given to the bank would be declared void. However, as the fraud is committed by a third person, the only recourse open to a banking customer is to bring a claim against the bank. In this situation, the authorisation can only by declared void if the bank knew or should have known of the deception.
Given the large number of financial transactions conducted online, expecting the bank to know that a particular hacker is committing fraud would place an absurd burden upon financial institutions.
A claim for intentional deception would therefore fail.
Claiming that the transaction should be considered void as a result of mistake under § 119 BGB would also fail. This is because, when giving a declaration of intent (i.e. making the transfer), the banking customer did not made a mistake in relation to the content of the transfer. The customer was aware that and intended for a certain amount of money to be transferred to the recipient. The only mistake here concerns motivation, which is legally irrelevant. The intended recipient of the payment is entitled to receive it.
It may be possible for the banking customer to claim compensation from the bank. In order to do so, the customer must prove that the bank breached its duty of care.
However, most Trojans are aimed at personal computers of private individuals and many banks’ terms and conditions require customers to protect their computers with updated anti-virus software.
The responsibility to take precautions therefore rests with those individuals and any claims for compensation following malicious software attacks will usually fail.
While in many phishing cases, banks are unable to prove a customer was grossly negligent, cases concerning social engineering could leave customers with no redress.
Many banks, however, are willing to return lost money on a goodwill basis and without admission of legal liability.
Before it comes to that, here are some tips on how to protect yourself against phishing attacks:
- Never give your PIN or TAN details to anybody via e-mail or telephone (except during telephone banking)
- Even where an e-mail appears authentic and contains strong demands, it is better to double check with your bank once too often, than once too little.
- If you have fallen victim to a phishing attack, take legal advice. In our experience, money can often be reimbursed.
For more information on phishing or for advice on how to react to a phishing attack, contact WILDE BEUGER SOLMECKE on 0221 / 951 563 0 (Beratung bundesweit).