When and how can phishing money be claimed from a bank?

LetsLaw / Digital Law  / When and how can phishing money be claimed from a bank?
reclamar el dinero del phishing ante un banco

When and how can phishing money be claimed from a bank?

Sometimes we receive links or messages that appear to come from trustworthy sources, such as our bank, our boss, or even our favorite store. Many of those times, those links are misleading, leading to scams for fraudulently withdrawing money from your bank account. These types of scams, better known by the name phishing, are the order of the day. The question in this case is to determine if the banks have any kind of responsibility in these cases.

What is phishing?

This technique refers to that fraudulent activity through which a cybercriminal supplants the identity of a person, to impersonate them and thus access their personal data, among which are their passwords and bank details, or those of a third party. The main objective of this type of action is usually to obtain an economic benefit for the person who commits it.

In these cases, the scammer usually asks victims for various information, but it can also happen that they ask you to download a fake invoice or click on a link. However, the most widespread modality is the one consisting of an email from the financial institution to which the recipient of the email belongs, requesting the validation or updating of any of their personal data under the threat of cancellation of the service or account.

With new modalities vishing appears, which is committed through the voice by a phone call, smishing, when it occurs via SMS, even phishing through QR codes.

Is it possible to recover the money if you have been a victim of phishing?

On certain occasions, it is the banks themselves who bear the responsibility in cases of bank phishing, as has been established by various rulings.

In this regard, on February 2, the Court of First Instance of Oviedo forced Banco Santander to return to a customer the amount of 18,500 euros that had been withdrawn from his bank account as a result of a phishing practice through which a person in Lithuania kept that money.

Thus, the Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera” (Royal Decree-Law 19/2018, of November 23, on payment services and other urgent measures in financial matters), shows that banking entities are obliged to immediately return those operations that have not been authorized, stating that ” (…) the payer’s payment service provider will return the amount of the unauthorized operation immediately and, in any case, no later than the end of the business day following the day on which it observed or was notified the operation, except when the payer’s payment service provider has reasonable grounds to suspect the existence of fraud and communicates said grounds in writing to the Bank of Spain, in the form and with the content and terms determined by the latter (…)”.

However, the article itself shows that the bank is exempt from liability if it proves that the user incurred “serious negligence“. This is stated in article 41 of the same law, stating that the user will use the payment instrument in accordance with the conditions that regulate the issuance and use of the payment instrument, which must be objective, non-discriminatory and proportionate and, in particular, insofar as receive a payment instrument, it will take all reasonable steps to protect your personalized security credentials. In the same way, in the event of loss, theft or misappropriation of the payment instrument or its unauthorized use, it will notify the payment service provider or the entity it designates, without undue delay as soon as it becomes aware of it.

How to proceed if you have been scammed using phishing?

In the first place, you must act as quickly as possible and notify the bank immediately to inform them of said action.

Likewise, the Spanish non-governmental organization FACUA recommends going to the Police or Civil Guard as a first step, in order to file a subsequent complaint with the bank, which will allow the lost amounts to be claimed.

In the event that the bank denies the user the right to recover their money, it is advisable to go to an association that protects the rights of users, without prejudice to changing passwords, blocking the bank card and modifying all data that may have been accessible.

Other key recommendations when phishing has already happened include changing passwords, blocking the bank card and trying to identify what kind of sensitive information has been compromised.

In Letslaw by RSM we are experts in cybersecurity, and we can help you with whatever you need.

Contact Us

    By clicking on "Send" you accept our Privacy Policy - + Info

    I agree to receive outlined commercial communications from LETSLAW, S.L. in accordance with the provisions of our Privacy Policy - + Info