Phishing scams, damages and liability: the sentence of the Cassation

The ABI has sent a circular to its associates: if a bank customer ends up in the ‘trap’, the responsibility lies with him and not with the credit institution

If a bank customer falls into the phishing ‘trap’ and becomes the victim of a fraud, the responsibility lies with him and not with the lender. This is what the Cassation established, with sentence number 7214 of 13 March, with which it expressed itself on the subject, effectively introducing a principle which represents, for banks, a shield in the face of claims for damages advanced by defrauded account holders online.

In the case covered by the sentence, we learn from a circular that the Abi sent to the associates, the account holder has denied a fraudulent transfer operation performed electronically on his account by a third person. In the first instance case, the Court of Palermo had sentenced the intermediary to reimburse the current account holder the sum that had been fraudulently stolen, deeming that the intermediary had not adopted all the technically suitable security measures to prevent damage such as that object of the case. This decision, however, was overturned by the sentence of the Palermo Court of Appeal, to then be confirmed by the Supreme Court. The Court of Cassation, referring to the facts of the case the arguments put forward by the Court of Appeal, declared the appeal inadmissible, excluding the liability of the intermediary.

In referring to the contents of the decision, the ABI informs the associates of some aspects: the behavior of the account holder is to be considered ‘imprudent and negligent’ as the customer has entered his personal codes (requested with a fraudulent e-mail) thus allowing the scammer to later use them to make payment arrangements. On this point, in the second instance, it was highlighted that the activity carried out by the intermediary, as it also relates to the IT processing of personal data, is to be considered ‘dangerous’ (Legislative Decree no. 196 of 2003, art. 15 and article 2050 of the civil code), in consideration of the ever more frequent computer scams, aimed at fraudulently stealing the data necessary for the execution of illicit operations.

Furthermore, the association recalls, the intermediary, in the opinion of the appeal judges, has adopted a security system such as to prevent access to the account holder’s personal data by third parties as “the security levels of the systems computer systems (…) have been certified by specific certifying bodies, according to the most rigorous and reliable international standards” and from the content of these documents it emerges that “the use of the online service can only take place through the insertion of various secret codes held of the user and unknown to the same personnel” of the intermediary; the behavior of the intermediary who provided specific information, even pre-contractual, to the customer regarding the importance of custody and the correct use of credentials was considered positively by the appeal judges. Furthermore, the judges highlighted how “on the website of (…) [dell’intermediario]easily consultable by the account holder” there is a special space in which “the necessary information is provided to avoid computer fraud (in particular, phishing), with the warning, in particular, that [l’intermediario] never requires, through e-mail messages, letters or telephone calls, to provide the personal codes and with the information necessary to distinguish the authentic and protected website of (…) [dell’intermediario] from the cloned ones, in which the account holder is induced to enter his own personal codes”.

With reference to the burden of proof, the ABI concludes in the circular, the Court of Cassation concluded that the intermediary was not required to prove that the debit had been approved by the account holders, since the “security characteristics of the computer system [dell’intermediario] for the execution of banking operations electronically, there was proof, derived from presumptions, that these usernames, pins and passwords, which the applicants claimed they had not used to issue that order, were used by a third party, after their illicit capture”.