Duty of care required of the bank in the event of phishing fraud (OGH 7Ob 95/24g, 28.08.2024)

Created by Mag. Sylvia Unger |
Banking Law

1. Facts of the case 

A bank customer (plaintiff) fell victim to social engineering. He received a phishing text message disguised as a message from a parcel delivery company and entered personal data and his internet banking access number. Separately, he then withdrew EUR 7,500 in cash. He was then called by a number he did not recognise. He was told that his account had been accessed. He was called again on the same day. The caller pretended to be a bank employee and instructed the plaintiff to check his Internet banking in order to reverse the previously mentioned access to his account. At the same time, the perpetrator also logged into the bank customer's Internet banking system using the authorisation number obtained from the phishing text message. The bank customer used two-factor authentication to confirm his own login in the control app and also the login of the perpetrator. 

The first transaction totalling EUR 20,000 was stopped by the automatic transaction monitoring system, the following ones were not. The perpetrator initiated four further international transfers (2x EUR 9,000, EUR 3,950 and EUR 5,700), totalling EUR 27,650. 

The bank customer authorised all transfers in the control app. The bank customer subsequently claimed the amount of EUR 27,650 from the bank and filed a lawsuit based on §§ 67 and 68 ZaDiG 2018. 

 

2. Legal judgement 

In this case, the Supreme Court had to decide whether the defendant bank had complied with all the necessary duties of care. In its decision, it confirmed the decisions of the lower courts (Salzburg Regional Court and Linz Higher Regional Court). 

The bank warned the customer in advanceof phishing attacks and had set up a comprehensive security system to monitor transactions. This system also blocked one of the fraudulent transfers in the amount of EUR 20,000, as the transfer deviated from the plaintiff's usual behaviour due to the high amount and the unknown recipient.

The bank warned the customer in advanceof phishing attacks and had set up a comprehensive security system to monitor transactions. This system also blocked one of the fraudulent transfers in the amount of EUR 20,000, as the transfer deviated from the plaintiff's usual behaviour due to the high amount and the unknown recipient.

With regard to the other transfers that were not stopped, the court was of the opinion that the bank had no obligation to block every authorised transaction. The bank's monitoring systems work according to certain criteria that are designed to recognise conspicuous or atypical transactions. The system therefore recognised the first transfer as suspicious and stopped it. It also worked for the subsequent, unblocked transfers. The fact that these were not stopped was due to the fact that the customer had previously withdrawn EUR 7,500 in cash. The cancellation of such a high amount made the subsequent, equally high transfers, which were within the scope of this, appear plausible. 

The Supreme Court confirmed the legal opinion of the lower courts. These had judged the bank customer's behaviour to be grossly negligent, as he disclosed his personal access data via the phishing text messages and then independently approved all transactions. He was therefore solely responsible for the damage caused. 

 

3. Conclusion 

There was no breach of duty of care on the bank’s part. Even if the bank could be accused of a possible breach of duty of care, the customer's behaviour is so severe that any possible breach of duty on the part of the bank recedes into the background. The customer's own behaviour contributed significantly to making the fraud possible in the first place. This is yet another reason to be very careful when using Internet banking and never click on links from unknown senders, let alone disclose security-relevant data (PIN, user number, etc.).