The Court of First Instance number 7 of Las Palmas de Gran Canaria found the request from a neighbor of the capital of Gran Canaria who lost all his money when he fell victim to cybercriminals who pretended to be the bank where he had his account. The bank must pay the person concerned the sum stolen by phishing (4,902 euros), plus accrued legal interest and costs.
The bank opposed the client’s request, believing that she was solely responsible for falling into the trap. trap. The judicial authority establishes the financial responsibility of the bank since, it specifies, “the defendant is the one who provides the payment service in an environment as technological and increasingly susceptible to attacks as that in which the plaintiff was submitted, implies a financial responsibility, because it must increase security measures specific, and not just informative, depending on the payment methods it offers.
According to the judgment, the cyber scam was concocted in the summer of 2023, when the bank customer received by SMS“the usual channel of communication” with the bank, a message which informed him of “a security alert” on his card, sending him for correction in the same message to a link or computer link. The data subject activated the link from their mobile phone and this action took them to “a website with all the identifying characteristics of the bank’s website”. In this document, the judgment continues, “the plaintiff inserted a key and password to access it, but was unable to do so.”
In this way, the next day received a call of “who said he was an employee of the defendant [del banco] with knowledge of personal data of the complainant, surname, first name, last transactions… informing her that a situation of serious risk for computer security had occurred and that she had to transfer all her funds to a new account, with an Iban which was sent via the financial institution’s SMS thread.
The applicant made separate transfers to the indicated account of 1,152 and 3,750 euros“losing all availability of the above-mentioned sums, giving rise to a complaint to the National Police”.
Faced with the bank’s opposition to returning the money the cybercriminals had stolen to the woman concerned, the judge said the complainant could not be expected to “demonstrate an attitude suspicious or curious about the message sent”, which she understood to be legitimate “each time” that he even received calls from someone who claimed to be an employee of the defendant, who explained the reason SMS messages sent (…) within the conversation line he maintained with his bank.
“There is no data to prove the existence of a reckless act by the plaintiff”, the judgment states, “taking into account that a complex technological system was used containing a series of SMS attacks on the plaintiff’s trust in what she believed to be the financial institution, by sending her a link that takes her to a website page with identical content.
The sentence is subject to appeal before the Provincial Court of Las Palmas.
