A recent ruling by the Higher Regional Court (OLG) of Oldenburg has clarified an important legal point about fraud losses linked to phishing scams: banks are not obligated to compensate customers if the customers themselves acted with gross negligence in handling fraudulent messages. This judgment serves as a warning to consumers about the importance of vigilance in protecting their personal data and financial information.
The case involved a married couple whose joint bank account was drained by almost €41,000 after the wife responded to a fraudulent phishing email. The email contained multiple spelling mistakes and was not personally addressed to her, red flags that often indicate a scam. Despite this, the wife clicked on a link in the email, which took her to a fake website designed by criminals to mimic the bank’s legitimate portal.
At this fake site, she entered sensitive personal information including her date of birth, EC card number, and PIN. Following this, she received a text message with a link to re-register for the bank’s PushTAN authentication procedure, a method banks use to send transaction authorization codes securely. The wife forwarded this re-registration link to the fraudsters, effectively giving them access to her account.
In the initial hearing at the Oldenburg Regional Court, the couple’s claim to recover the lost funds from the bank was rejected. German law generally holds payment service providers responsible for unauthorized transactions, requiring banks to reimburse customers when fraud occurs. However, this liability is voided if the customer has acted with gross negligence, a severe lack of reasonable care.
The court highlighted that the contract between the bank and the customers explicitly requires that authentication features such as personalized codes and registration links must be protected against unauthorized access. By sharing the re-registration link and entering personal data on a suspicious website, the wife violated these contractual duties.
After reviewing expert opinions and evidence, the Higher Regional Court agreed with the initial verdict and emphasized that obvious warning signs, like poor spelling in the email and the lack of personal address, should have raised doubts about the legitimacy of the message. These factors, combined with the breach of care in handling security procedures, led to the conclusion that the customers acted with gross negligence.
The Higher Regional Court of Oldenburg’s decision (Ref. 8 U 103/23) is final and binding. The couple will not be reimbursed for the €41,000 lost because their gross negligence disqualified them from bank compensation under German civil law. This precedent reinforces that customers must exercise extreme care to avoid falling victim to fraud, failure to do so can mean bearing the financial consequences themselves.
This ruling is a crucial reminder that while banks do have responsibilities to protect customers, the primary burden of safeguarding sensitive information lies with the individual account holders. Customers must remain vigilant and cautious, especially when dealing with unexpected emails or messages requesting personal or financial information.
Here are some key takeaways for consumers:
Phishing scams continue to evolve and remain a common tool for cybercriminals to access bank accounts illegally. Awareness and careful handling of suspicious communications are the best defenses. Remember, banks will never ask you to share passwords or authentication codes via email or text.
Stay alert, protect your data, and always verify before you click!
From breaking news to thought-provoking opinion pieces, our newsletter keeps you informed & engaged.
