When and how can phishing money be claimed from a bank?
Sometimes we receive links or messages that appear to come from trustworthy sources, such as our bank, our boss, or even our favorite store. Many of those times, those links are misleading, leading to scams for fraudulently withdrawing money from your bank account. These types of scams, better known by the name phishing, are the order of the day. The question in this case is to determine if the banks have any kind of responsibility in these cases.
What is phishing?
This technique refers to that fraudulent activity through which a cybercriminal supplants the identity of a person, to impersonate them and thus access their personal data, among which are their passwords and bank details, or those of a third party. The main objective of this type of action is usually to obtain an economic benefit for the person who commits it.
In these cases, the scammer usually asks victims for various information, but it can also happen that they ask you to download a fake invoice or click on a link. However, the most widespread modality is the one consisting of an email from the financial institution to which the recipient of the email belongs, requesting the validation or updating of any of their personal data under the threat of cancellation of the service or account.
With new modalities vishing appears, which is committed through the voice by a phone call, smishing, when it occurs via SMS, even phishing through QR codes.
Is it possible to recover the money if you have been a victim of phishing?
On certain occasions, it is the banks themselves who bear the responsibility in cases of bank phishing, as has been established by various rulings.
In this regard, on February 2, the Court of First Instance of Oviedo forced Banco Santander to return to a customer the amount of 18,500 euros that had been withdrawn from his bank account as a result of a phishing practice through which a person in Lithuania kept that money.
Thus, the “Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera” (Royal Decree-Law 19/2018, of November 23, on payment services and other urgent measures in financial matters), shows that banking entities are obliged to immediately return those operations that have not been authorized, stating that ” (…) the payer’s payment service provider will return the amount of the unauthorized operation immediately and, in any case, no later than the end of the business day following the day on which it observed or was notified the operation, except when the payer’s payment service provider has reasonable grounds to suspect the existence of fraud and communicates said grounds in writing to the Bank of Spain, in the form and with the content and terms determined by the latter (…)”.
However, the article itself shows that the bank is exempt from liability if it proves that the user incurred “serious negligence“. This is stated in article 41 of the same law, stating that the user will use the payment instrument in accordance with the conditions that regulate the issuance and use of the payment instrument, which must be objective, non-discriminatory and proportionate and, in particular, insofar as receive a payment instrument, it will take all reasonable steps to protect your personalized security credentials. In the same way, in the event of loss, theft or misappropriation of the payment instrument or its unauthorized use, it will notify the payment service provider or the entity it designates, without undue delay as soon as it becomes aware of it.
How to proceed if you have been scammed using phishing?
In the first place, you must act as quickly as possible and notify the bank immediately to inform them of said action.
Likewise, the Spanish non-governmental organization FACUA recommends going to the Police or Civil Guard as a first step, in order to file a subsequent complaint with the bank, which will allow the lost amounts to be claimed.
In the event that the bank denies the user the right to recover their money, it is advisable to go to an association that protects the rights of users, without prejudice to changing passwords, blocking the bank card and modifying all data that may have been accessible.
Other key recommendations when phishing has already happened include changing passwords, blocking the bank card and trying to identify what kind of sensitive information has been compromised.
In Letslaw by RSM we are experts in cybersecurity, and we can help you with whatever you need.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
Important sanction by the AEPD to the main telecommunication companies for allowing fraudulent SIM card duplication
Cyberattacks by Social Engineering: Learn to detect and prevent them
Cryptocurrency compliance: necessary to fight against money laundering and financial scams
New call for applications for the Digital Kit program
How the Omnibus Directive affects influencer advertising
The Digital Euro and its implementation in the near futuro