Unfortunately, the fraud method underlying the present case seems to be as widespread as ever, with the fraudsters mainly targeting clients of an advanced age. Alleged Microsoft employees call and claim that the client’s computer has numerous security problems that urgently need to be fixed. Deceived clients allow them to access their computer, which is usually done with a remote access programme. The fraudsters then manage to access the client’s e-banking and initiate transactions on their own.
How exactly the fraudsters had obtained the e-banking access data in this case remained open. The fraudulent transaction consisted of money being transferred to the client’s credit card account. After completing this transaction, the fraudsters blatantly claimed that the client’s Microsoft license had expired and that he could renew it for a cheap CHF 12. In return, the client gave them his credit card details. With this data, the fraudsters carried out transactions totaling around CHF 7,000, which the client had confirmed with the codes sent to his mobile phone, according to the bank.
After a while, the transaction seemed suspicious to the client. He switched off his computer and phoned the bank. His credit card was immediately blocked. When he became aware of the damage, the client, who was almost 80 years old, was ashamed that he had not noticed the fraud earlier.
After reviewing the documents and the relevant contractual conditions, the Ombudsman contacted the bank, which had repeatedly refused to compensate the client. The bank publicly advertised that it would compensate clients who were victims of cyber-attacks up to an amount of CHF 100 000, which was widely reported in the press. In the corresponding provision for its digital service offer, the bank promised to compensate clients for the credit balance that was taken from them by means of the unlawful theft of their means of identification or security elements by third parties, namely in the case of phishing or malware attacks, provided that the clients had complied in full with the conditions of participation for the digital service offer. The Ombudsman asked the bank to explain the scope of this provision and why it did not wish to compensate the client in the present case on the basis of it.
The bank was of the opinion that it was questionable whether the offence of phishing had been committed, since the attack took place by telephone and the client deliberately and voluntarily made the necessary data available to third parties whom he did not know and who had no connection to the bank. In the conditions of participation, the bank referred to a website which dealt with various security issues and stated, among other things, that personal data, in particular account data, must not be passed on under any circumstances and that the bank would never contact its clients to request access data.
In the present case, however, it was less decisive whether the facts of phishing existed. Even if this were the case, the client had violated a decisive condition for the promise of performance set out in the provision in question. This only applied if the conditions of participation were complied with in all parts, which was not the case here. The bank regretted the incident and held the client in high esteem. It was therefore prepared to pay him CHF 2 000 as a gesture of goodwill.
The Ombudsman did not consider this argumentation to be conclusive. In his opinion, it is recognised that phishing can also take place by telephone. If phishing for bank or card data is successful, it always involves clients “voluntarily” passing them on to unauthorised third parties, who subsequently misuse the data, as the fraudsters make the clients believe that there is a legitimate reason for doing so and set up a bogus world in a sometimes very sophisticated way. If the conditions of participation stipulate that the advertised promise of benefits does not apply if such a transfer takes place, its scope of application appears to be intangible.
As the Ombudsman considered further mediation efforts to be futile due to the overall circumstances of the case, he nevertheless made the settlement offer to the client in the form of an explanatory notice. The client decided to accept it.