25/08/21

Phishing: the bank is liable

"Phishing cost Belgians 34 million euros", "FPS Finance warns for fraudulent mails: 'Do not react'", "Test Aankoop/Test Achat also warns for phishing messages in the name of bpost and FPS Finance".

These headlines are probably familiar to you. Criminals discovered that it is much easier and safer for them to break in digitally than to go in someone’s house with a crowbar. But the question arises as to who is liable for the damage incurred if one falls for it unsuspectingly.
 

No doubt you too have already received e-mails from your (alleged) bank asking you to urgently check your data, a (fake) text message from bpost containing a link to a parcel or a message from the FPS Finance containing a link to a refund or a premium to which you are entitled to.

All these messages have one thing in common: they may look very real, but they are from criminals and their sole purpose is to plunder your bank accounts. Click on the link and follow the steps and you can be sure that your bank accounts will be looted soon later. Cyber criminals do not even hesitate to recreate entire bank websites in order not to arouse suspicion. This form of crime ("phishing") is therefore becoming increasingly sophisticated.     

The question arises as to who is liable for damages in the event of phishing.

Due to a change in the law in 2018, banks are liable for damages in the event of phishing. Your bank is therefore obliged to compensate you for the full amount of the damage suffered (minus EUR 50).

However, there is an important exception to this rule. If the bank can prove that you were grossly negligent in connection with the phishing, you will be liable for the full amount of the damages. And, as is to be expected and feared, banks do not hesitate to invoke this provision to refuse repayment of the misappropriated funds.

But what is to be considered "gross negligence"? The legislator did not define this criterion and has therefore left it to the courts to give concrete form to it.   

Gross negligence is the superlative of ordinary negligence. Whereas negligence is something that can happen to anyone, gross negligence should rather be qualified as real stupidity.

Given this legislation is relatively recent, we cannot yet rely on much case law to know how the criterion of "gross negligence" should be assessed in practice.

For the time being, we mainly have to rely on a judgment in which the Antwerp court of appeal ruled that there was indeed gross negligence in a specific case.

The court of appeal based its decision on the fact that the e-mail did not originate from an e-mail address (similar to an e-mail address) of the bank, that the e-mail did not contain a logo of the bank and that it did not refer to a (fake) website of the bank.

What can we learn from this judgment? Well, that it will always be a question of facts. The court will always look at each case individually to determine how clever the phishing attempt was and how realistic the fake e-mail, text message and/or website was. If these are very convincing and hardly distinguishable from reality, there is a real chance that the court will rule that there was no gross negligence and that the bank will be obliged to refund the stolen amounts. On the other hand, if the e-mail or website are amateurish, the court will be likely to conclude that it was grossly negligent to positively react.

This is all the more important because the banks proactively and regularly warn their customers via e-mail, in the traditional media and on social media about phishing and emphasize that one should never disclose one's secret code to third parties. Moreover, it does not seem unrealistic that courts will judge victims even more severely in the future, now that the phenomenon of phishing (and how to protect oneself against it) is becoming more and more known.

It is also interesting to note that the court (and also the courts of first instance) did not take the age of the victim into account either. For the criterion of 'gross negligence', the courts take as a criterion "the presumed behaviour of a normally diligent and circumspect payer, placed in the same concrete external circumstances, with the payer’s own characteristics, such as age, being disregarded.

Finally, it is worth mentioning that if you are a victim of phishing and your bank refuses to deal with you, you can call on "Ombudsfin", the mediation service for financial services. This mediation service will issue a report and proposal. However, banks are not bound by this report and its proposal. In practice, it happens (very) regularly that banks ignore Ombudsfin’s verdict. In that case, there is no other choice but to go to court. 

We advise you to contact immediately your bank to stop the abuse of your accounts when you discover that you are a victim of phishing.


Author: Roeland Moeyersons

dotted_texture