Phishing: claiming against the bank for digital scams

What is phishing?

Phishing is one of the most well-known scams on the Internet because many people have suffered from it in recent years. 

To explain what this is about, we will refer to three characteristic factors:

1. The attack is carried out by means of electronic communications, such as a email, a whatsApp message, an SMS, a phone call and even through platforms such as Wallapop or Vinted.
2. The attacker is impersonating a trusted person or entity (impersonation), such as your bank, your phone company or your insurer.
3. Its objective is to obtain sensitive personal information to access your credit card. Usually through login credentials where your card is linked or directly by requesting your card numbers.

When the attacker obtains this data, he normally performs three operations:

• Payments with your card.
• Withdraw cash from the ATM.
• Make transfers to your card.

In most cases, it is very difficult to know the identity of the fraudster because these actions usually leave no trace. 

Phishing: legal framework

The Royal Decree-Law 19/2018 of 23 November 2018 on Payment Servicestransposed into national law Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November on Payment Services in the Internal Market.

The aim of this Decree-Law is to generate a safer and more reliable environment for users and to establish a quasi-objective liability framework of the Banking Entity.

In this way, the Payment Services Act imposes the following rights and obligations on payment service users and payment service providers (the banks).

Phishing: obligations of users:

1. Use the payment instrument in accordance with the conditions agreed in the contract
2. Take reasonable steps to protect your security credentials
3. Report any loss, theft, misappropriation, misappropriation or unauthorised use without undue delay.

Phishing: obligations of the provider of the means of payment:

In addition to those stipulated in the contract, it must implement the security measures necessary to ensure the identity of the payer and the authentication of the transaction with the aim of detecting unauthorised or fraudulent payment transactions in time.

Strong authentication

The Payment Services Directive (PSD2) obliges banks to ensure that payment orders are made by means of a strong authentication (Arts. 97 and 98).

This means that the transaction must be validated with the personal password -or with a biometric factor such as fingerprint or facial recognition, or with a random key generated for each operation which must be sent to the user to revalidate the operation (two-factor authentication/security).

Fraudulent operations

Similarly, the entity must be able to detect when authentication elements (personal keys) have been compromised or stolen, block the operation and contact the user to verify whether he or she is doing it.

For the purpose of verifying the transaction, the bank shall make use of, among other factors, the following:

• Analysis of user consumption patterns or habits
• Coordinate cards.
• The authorisation code for certain transactions.
• Notices on the website of operations.
• The concept, the amount and the type of operation.
• Detect which shops are safe.
• The person to whom the operation is addressed.

Can I get my money back if I have been phished?

Having explained the legal framework of Payment Services ActIf the user denies having authorised a transaction, we can conclude that payment transactions are only considered authorised when the payer has given his consent (Art. 36). If the user denies having authorised a transaction, the bank must immediately repay the amount of the transaction to you (Art. 45)unless he proves that the holder has acted fraudulently or with gross negligence when it comes to keeping their security keys.

In this sense, banks argue that voluntarily providing passwords to a phishing scammer constitutes gross negligencefor non-compliance by the holder with his obligation to keep the security keys.

However, according to the Supreme Court, phishing is a scam, which conceptually is a "quite misleading" and therefore "gross negligence" is annulled.

What to do if I have been phished?

The National Cyber Security Institute (INCIBE), indicates that it is important that the moment you become aware that it is a scam, you contact your bank immediately "to cancel any unauthorised payments or our card if necessary".

In this way, the bank will have no objection to refunding you for any transaction after you have reported the phishing attack.

In addition, INCIBE stresses the importance of gathering all possible evidence in order to file a complaint with the State Security Forces and Corps.

However, if you have suffered from this or any other cyber fraud or your bank is not responsible for the attack, do not hesitate to contact us y We will handle your request in the best possible way.