February 19, 2024 – Anyone who carelessly increases their transfer limit as part of a phishing attack and thereby enables online fraudsters to access their bank account is acting with gross negligence. He therefore has no right to have his financial institution credit his account with the money stolen by the fraudsters. The Frankfurt am Main Higher Regional Court decided this in a judgment of December 6, 2023 (3 U 3/23) published on Wednesday, thereby confirming a decision of the lower court.
In September 2021, a lawyer and tax advisor working in an international law firm received a text message that purportedly came from his savings bank. He was informed that his account had been restricted. He should register for a new procedure as part of online banking and follow a web link.
Fraudsters caused the transfer limit to be increased
Since the link contained the word Sparkasse and a telephone number that the financial institution had already used in the past to inform the customer about temporary closures following security incidents, he was not suspicious. So he followed the link.
The lawyer was then called by an alleged employee of the savings bank. This prompted him to do so by means of a so-called PushTAN and verification via facial recognition to temporarily increase the daily transfer limit from 10,000 euros to 50,000 euros.
Shortly afterwards, his account was debited with a transfer of 49,999.99 euros. An unknown male person was named as the recipient of the money.
After the injured party unsuccessfully requested that his financial institution credit the stolen amount back to his account, he filed a lawsuit with the Frankfurt regional court. However, this considered his claim to be just as unfounded as the higher regional court of the city on the Main, which dealt with the case in the second instance.
ADVERTISING
Bank customer acted with gross negligence
After taking evidence, the judges were convinced that the plaintiff had not, as he claimed, confirmed something in his PushTAN app using facial recognition not just once, but several times. Because there was no other way for the perpetrator to transfer the almost 50,000 euros from his account given the sophisticated security system.
Furthermore, by confirming PushTANs at the caller’s request, the plaintiff violated his obligation to protect security features from unauthorized access and thus granted an unknown third party access to a personalized security feature.
In doing so, he effectively placed control of the authentication instrument in the hands of the caller. He therefore had to accept the accusation of having acted with gross negligence.
When the release request is requested, the account holder is generally shown which specific process, such as a transfer, requires authentication. The specific amount of the money transfer is also mentioned.
Known attack pattern phishing
“If a customer does not heed these clear instructions and gives approval without paying attention to the ad, this is not simply a negligent breach of duty,” explained the Higher Regional Court.
When using an app that is explicitly used to approve financial transactions, it must generally be clear to everyone that the ad must not only be acknowledged, but also thoroughly checked. This applies even more in the present case given the plaintiff’s professional qualifications.
In addition, customers of financial institutions have been warned about phishing attacks for years. Among other things, it should be noted that fraudsters give the impression that their message comes from a payment service provider. However, the links in such messages typically lead to fake websites.
After all of this, the plaintiff is now almost 50,000 euros poorer.
A decision has not yet been made regarding whether an appeal will be permitted
The judges saw no reason to allow an appeal against their decision to the Federal Court of Justice.
In the meantime, the plaintiff has defended himself against this with a non-admission complaint. The BGH has not yet decided on this.
2024-02-18 23:45:32
#Phishing #Lawyer #cheated #euros