20.09.2018 09:09 Age: 1 year
Category: LEGAL NEWS

Supreme Court decision on online banking fraud

Bank clients must bear damage themselves.


Caused by their own carelessness, the plaintiffs against a bank lost € 12,880.00 to scammers who had gained access to their online banking portal. The Supreme Court (OGH) confirmed the assessment of the previous instances, which attested the first plaintiff a grossly negligent violation of his due diligence obligations.

The case is as follows: The plaintiffs are joint account holders and use the online banking function provided by the bank. The unknown scammers gained access to their access data by installing malicious software on one of the first plaintiff’s IT systems or through a phishing attack. As a result, the unknown persons were able to log into the online banking portal and create a transfer. In order to authorize the transfer, the so-called "TAC" has to be provided. The TAC is sent via SMS to the customer. This message consists of the transfer amount, the last 11 digits of the IBAN of the account to which the sum is being transferred to and the TAC. The bank regularly alerts its customers to the threat of phishing attacks and Trojans, including, by means of the warning "Prüfen Sie IMMER die Inhalte ihrer TAC-SMS, bevor sie mit der TAC zeichnen – also bei einer Überweisung die Empfänger-IBAN und vor allem den Betrag !!!!" (= always check the content of your TAC SMS before validating with the TAC - that is, when transferring, the recipient IBAN and especially the amount".

The scammers used the first plaintiff’s phone number, retrievable in the online banking, to contact him. Shortly before the call he had received an SMS containing the TAC for the authorization of a transfer. During the telephone conversation a woman unknown to the plaintiff pretended to be an employee of the bank. She asked him to tell her the recently received TAC and claimed a necessary data update as the reason for this. The first plaintiff did as he was told and thus authorized the transfer of € 12,880.00 from the plaintiff's account to an Austrian current account of another bank. Two days later, the incident repeated itself. This time, an amount of € 4,800.00 was to be transferred to a Spanish account, which however did not happen: An employee of the plaintiffs’ bank got suspicious and contacted them.

The plaintiffs referred to the Payment Services Act, which provides for strict liability on the part of the service provider for payment transactions which were not authorized by the payer, and thus attempted to indemnify the bank. The payer, however, is liable in case of gross negligence himself.

The Supreme Court now confirmed the assessment of the previous instances, stating a gross negligent breach of due diligence by the first plaintiff. With regular media coverage and numerous warnings from banks about the dangers of phishing emails and other fraud attempts, the average online banking user needs to be aware that when passing a TAC code on the phone to an unknown person, a fraudulent occurrence of damage is very likely. When taking a glance at the SMS the first plaintiff could already have seen that it was about a transfer. The bank is therefore not liable and the plaintiffs must bear the damage themselves.

Further details of the decision are available in the Ris (in German).

For questions regarding banking law, our banking law experts are at your disposal.