Banks must protect clients from scams or face compensation payouts

Fraudulent activities which obtain user data in order to obtain money are increasing, with the likes of phishing, smishing, and variations becoming common place, but what is also increasing is the onus on banks to protect clients from the fraudulent acts or pay compensation for the consequences.

In the latest ruling, the Provincial Court of Alicante rejected an appeal filed by Caja Rural Central against a first instance ruling after they were obliged to refund 4,985 euro to a client which was lost in such a fraudulent activity, and, although she did not remember having received any communication where they asked for her password, the magistrates concluded that “it is up to the defendant to prove that the operation ordered was authentic.”

Another example is the conviction of Caja Rural de Asturias, which last year had to pay the amount of 5,828.35 euro to a woman whose account was charged with unauthorised payments after downloading the bank’s application on her mobile phone. “An average user does not have to know that the address of the website of the message was in Russia,” the judge stated.

Also in 2023, a Santander judge sentenced Unicaja to pay 5,000 euro to a client who was scammed with the same app technique. “For a non-expert it is not easy to detect that the message received is fraudulent or that the website they have accessed through the link provided is false,” she said.

These court rulings, with costs imposed on the bank and interest added to the compensation, show that the ignorance of individuals is not synonymous with negligent behaviour in these circumstances. Thus, the concept of ‘quasi-objective liability’ arises: the entity is guilty unless it demonstrates serious negligence on the part of the user.

Another of the most common strategies used by cybercriminals is sending messages where the user is asked to confirm their personal data and/or access codes. Last year, Santander bank was sentenced to pay compensation of 5,895 euro for not preventing this fraudulent manoeuvre. The victim in this case was alerted when she detected several purchases with her card that she had not made, after providing her banking information through a message requesting them. The magistrate’s argument here was the breach of the bank account contract, specifically for not respecting duty of restitution in the event of unaccepted transactions.

In 2022, with a very similar technique, Abanca was forced to pay 4,365 euro to a woman who shared bank details with a third party via email. The Provincial Court of Pontevedra considered, once again, that the entity had not been able to stop this premeditated deception. This ruling, despite referring to the lack of preparation of the fraudulent email – which even had spelling mistakes – highlights that Abanca had not implemented an adequate anti-phishing mechanism.

In both trials, the banks’ failure to comply with their security duties tipped the balance towards their clients. And, at the same time, the general argument that the bank usually presents in these cases is rejected, based on the fact that its internal system worked correctly even if the passwords and codes were entered by a stranger.

As an expert in phishing, the renowned lawyer Juan Pablo Palomar, from the Palomar Abogados firm, points out when talking about this matter that “two-factor authentication is not, at all, an insurmountable retaining wall.” In fact, Delegated Regulation 2018/389 of the European Commission “makes it very clear that, well above this measure, banks must have the appropriate anti-fraud protocol.” For example, he explains, “if a client always connects from the same device to access their online banking, the entity should act immediately if the management is being carried out from another, and call the client to do the corresponding verification. Banks are perfectly capable of detecting a change of device due to the trace left by each action of this type.”

This specialist also warns of a cunning practice that usually occurs on weekends. Either through a previous virus that the user has unknowingly installed on their computer and reads their bank transactions, or through a direct phone call, the potential victim is contacted with the false excuse that their account is being attacked. And then your login details are urgently requested to block the threat as soon as possible. Or a validation code, in the event that a purchase has just been made. Taking into account that it is not a working day and the fear that this conversation arouses, there are many affected by this trap.

Although demands on banks are increasing, citizens continue to place their trust in them. At least the Spanish. This conclusion is what emerges from the first survey on ‘Cybersecurity and habits of using digital channels’, carried out by Sigma Dos in collaboration with the Spanish Confederation of Savings Banks (CECA). According to the data from this study, banking entities are the ones that inspire the most confidence in users when it comes to managing and protecting their personal data.

78% of respondents say that their bank cares about their digital security. And 84% indicate that they do not consider it dangerous to operate through their digital banking. In fact, this report shows that individuals are not too afraid of falling into the phishing deception, since only half of those surveyed see it as likely (or very likely) that they could become victims of a cyberattack.

The post Banks must protect clients from scams of face compensation payouts appeared first on Spain Today – Breaking Spanish News, Sport, and Information.