Fraudulent credit card transactions following a phishing attack
The client wanted to make an online purchase of around CHF 100 and ended up on a fraudulent website. There, the fraudsters were able to trick him into believing that he had to load a Samsung prepaid card with the purchase amount so that payment was possible. He entered his card details and the bank sent a confirmation code to his cell phone by text message. This text message stated that the code was for registration on Samsung Pay, should only be entered in the Samsung Pay app and should not be passed on or entered on a website. The client entered the code on the website, believing this was necessary to charge the Samsung prepaid card. With the fraudulenty obtained data, the fraudsters effectively registered the card for Samsung Pay on a mobile device. In a second text message, the bank confirmed to the client that his card could now be used for Samsung Pay. He thought the Samsung prepaid card was now loaded. In effect, the fraudsters were now able to use his card with their mobile device to make purchases. Asthese transactions were confirmed within the app installed on the fraudster’s mobile device, he was not able to notice them
Most of the fraudulent transactions took place within one day at short intervals and in considerable amounts in a clothing store and an electronics store abroad. According to the client, they were unusual for him in terms of type and amount. The Ombudsman therefore confronted the bank with the question of why the fraud monitoring system had not detected the transactions. According to his observations, a state-of-the-art fraud monitoring system is standard in the card industry and may as such be assumed by clients nowadays, but even these systems cannot naturally detect all attempts at fraud. In other words, the client is not entitled to successful fraud detection.
In its statement to the Ombudsman, the bank first addressed the process of card registration in a payment wallet. It was of the opinion that the client had breached his duty of care by passing on his card details and the code required for registration and was therefore not entitled to compensation on the basis of the card conditions. He had not paid attention to the SMS texts. If he had done this and had contacted the bank because of the contradictions between the texts and the image the fraudsters had given him, the fraud could have been prevented. In addition, he would have had the option of confi-guring his card so that every transaction above a certain amount would be reported to him with a push message on his cell phone. He had not used this opportunity. If he had done so, he would have noticed the fraud after the first transaction. Further fraudulent transactions could have been prevented if they had been reported in good time.
The bank further set forth that it uses a modern early warning system for client security with the aim of detecting fraudulent transactions as quickly as possible. However, this does not release the cardholder from his duty of care. The criteria used by the early warning system to classify a transaction as suspicious depend on many different factors. In the present case, the system did not classify the transactions as suspicious, especially as the card had previously been registered for Samsung Pay using two-factor authentication. The client had regularly used his card for several transactions per day. The transactions had taken place locally and could also have corresponded to a tourist shopping behavior. The bank was only prepared to cover the amount exceeding the limit of around CHF 1 500.
Since the Ombudsman still saw striking discrepancies between the client’s user behavior and the fraudulent transactions and could not understand to what extent the high purchases in an electronics store in a place that was not known for cheap electronic goods should correspond to a tourist shopping behavior, he asked the bank supplementary questions. The latter maintained its argumentation and specified that the fraud detection system was not part of the contractual arrangement with the client and was also not 100% reliable. In order to minimize credit card misuse, a combination of compliance with due diligence obligations by the client, additional measures such as two-factor authentication and the fraud detection system is required. However, it was nevertheless prepared not only to pay the amount exceeding the limit, but also to reimburse the client for the full amount of the transaction that led to this overrun. The compensation was thus doubled to around CHF 3 000. The Ombudsman recommended that the client accept the offer, as he considered further mediation efforts to be futile. The client followed the recommendation.