When the attacker obtains this data, he normally performs three operations:<\/p>\n\n\n\n
- \n
- Payments with your card.<\/strong><\/li>\n\n\n\n
- Withdraw cash from the ATM.<\/strong><\/li>\n\n\n\n
- Make transfers to your card.<\/strong><\/li>\n<\/ul>\n\n\n\n
In most cases, it is very difficult to know the identity of the fraudster because these actions usually leave no trace. <\/p>\n\n\n\n
<\/div>\n\n\n\nPhishing: legal framework<\/h2>\n\n\n\n
The Royal Decree-Law 19\/2018 of 23 November 2018 on Payment Services<\/a>transposed into national law Directive (EU) 2015\/2366 of the European Parliament and of the Council of 25 November on Payment Services in the Internal Market.<\/strong><\/p>\n\n\n\n
The aim of this Decree-Law is to generate a safer and more reliable environment for users and to establish a quasi-objective liability framework of the Banking Entity<\/strong>.<\/p>\n\n\n\n
In this way, the Payment Services Act<\/strong> imposes the following rights and obligations on payment service users and payment service providers (the banks).<\/p>\n\n\n\n
\"Payment transactions are only authorised when the payer has given his consent (Art. 36). If the user denies having authorised a transaction, the bank must immediately refund the amount of the transaction (Art. 45)\".<\/strong>. <\/em><\/p>Payment Services Act<\/cite><\/blockquote><\/figure>\n\n\n\n
<\/div>\n\n\n\nPhishing: obligations of users:<\/h3>\n\n\n\n
- \n
- Use the payment instrument in accordance with the conditions agreed in the contract<\/li>\n\n\n\n
- Take reasonable steps to protect your security credentials<\/li>\n\n\n\n
- Report any loss, theft, misappropriation, misappropriation or unauthorised use without undue delay.<\/li>\n<\/ol>\n\n\n\n<\/div>\n\n\n\n
![\"Digital](\"https:\/\/odiceabogados.com\/wp-content\/uploads\/2022\/11\/Estafas-digitales_-Phishing-1024x512.png\")
<\/figure>\n\n\n\n<\/div>\n\n\n\nPhishing: obligations of the provider of the means of payment:<\/h3>\n\n\n\n
In addition to those stipulated in the contract, it must implement the security measures necessary to ensure the identity of the payer and the authentication of the transaction <\/strong>with the aim of detecting unauthorised or fraudulent payment transactions in time.<\/p>\n\n\n\n
<\/div>\n\n\n\nStrong authentication<\/h4>\n\n\n\n
The Payment Services Directive (PSD2) obliges banks to ensure that payment orders are made by means of a strong authentication<\/strong> (Arts. 97 and 98).<\/p>\n\n\n\n
This means that the transaction must be validated with the personal password<\/strong> -or with a biometric factor such as fingerprint or facial recognition, or with a random key generated for each operation<\/strong> which must be sent to the user to revalidate the operation (two-factor authentication\/security).<\/p>\n\n\n\n
Fraudulent operations<\/p>\n\n\n\n
Similarly, the entity must be able to detect when authentication elements (personal keys) have been compromised or stolen, block the operation<\/strong> and contact the user to verify whether he or she is doing it.<\/p>\n\n\n\n
For the purpose of verifying the transaction, the bank shall make use of, among other factors, the following:<\/p>\n\n\n\n
- \n
- Analysis of user consumption patterns or habits<\/li>\n\n\n\n
- Coordinate cards.<\/li>\n\n\n\n
- The authorisation code for certain transactions.<\/li>\n\n\n\n
- Notices on the website of operations.<\/li>\n\n\n\n
- The concept, the amount and the type of operation.<\/li>\n\n\n\n
- Detect which shops are safe.<\/li>\n\n\n\n
- The person to whom the operation is addressed.<\/li>\n<\/ul>\n\n\n\n<\/div>\n\n\n\n
![\"Digital](\"https:\/\/odiceabogados.com\/wp-content\/uploads\/2022\/11\/Estafas-digitales_-reclamar-al-banco-por-Phishing-1024x512.png\")
<\/figure>\n\n\n\n<\/div>\n\n\n\nCan I get my money back if I have been phished?<\/h2>\n\n\n\n
Having explained the legal framework of Payment Services Act<\/strong>If the user denies having authorised a transaction, we can conclude that payment transactions are only considered authorised when the payer has given his consent (Art. 36). If the user denies having authorised a transaction, the bank must immediately repay the amount of the transaction to you<\/strong> (Art. 45)unless he proves that the holder has acted fraudulently or with gross negligence <\/strong>when it comes to keeping their security keys.<\/p>\n\n\n\n
In this sense, banks argue that voluntarily providing passwords to a phishing scammer constitutes gross negligence<\/strong>for non-compliance by the holder with his obligation to keep the security keys.<\/p>\n\n\n\n
However, according to the Supreme Court, phishing is a scam, which conceptually is a \"<\/strong>quite misleading<\/strong><\/a>\"<\/strong> and therefore \"gross negligence\" is annulled.<\/p>\n\n\n\n
<\/div>\n\n\n\nWhat to do if I have been phished?<\/h2>\n\n\n\n
- Withdraw cash from the ATM.<\/strong><\/li>\n\n\n\n