The fraud scheme, which primarily targets customers of the Swiss Post and courier services, is unfortunately well-known. Under the pretext that they have to pay a small amount in arrears for receiving a parcel, customers are lured by SMS or e-mail to a fake website where they enter their credit card details for the supposed payment. Such a fraud method is called “phishing”. In fact, the fraudsters then trigger a much larger payment with the stolen data. In the case in question, the customer’s credit card was charged to settle an invoice of CHF 1’500 from a foreign travel agency. Although the fraud was immediately discovered and reported by the client, as she used a function of the credit card issuer with which she was immediately notified of the card charges by SMS, the credit card issuer was unable to prevent the completion of the transaction initiated by the fraudsters with the client’s data. This was due to a regulation of the relevant credit card network, according to which a reversal of such a transaction in the so-called chargeback procedure is not possible if the cardholder has authorised it within the scope of a 2-factor authentication.
In the case of 2-factor authentication, a cardholder must additionally confirm an online credit card transaction on an app or by means of a code sent by SMS to a telephone number he or she has previously registered with the card issuer. With certain authentication systems, not only the telephone number but also the device connected to it is registered in advance. If a merchant who accepts credit card payments uses such a system, he does not have to put up with chargebacks and can be sure that he is allowed to keep the money charged to the credit card.
The credit card terms and conditions applicable to the case provided that the credit card issuer would cover damages for the misuse of the credit card if the customer had complied with all the contractual obligations incumbent on him, namely the duties of care, and if he was not otherwise at fault. The credit card issuer argued that the customer had breached a central duty of care by disclosing the card data as well as the confirmation code to the fraudsters and thus to unknown third parties on the phishing website, which she had mistaken for the real website of the Swiss Post.
In response to the Ombudsman’s objection that the customer had only provided the information necessary for a payment and had not recognised the phishing website as such, the credit card issuer replied that, in its opinion, it was generally a breach of due diligence if a customer fell for such a phishing website. It was generally known today that links from unknown senders should not be clicked on. Based on the sender’s address, it was clear that the e-mail did not come from the Swiss Post. In addition, by clicking on the address of the website, one would have been able to see that it was only superficially from Swiss Post. The actual address of the phishing website would have been recognisable in the background. Finally, it was unusual for such an odd amount to be requested in connection with the delivery of a parcel and the customer had used the confirmation code sent to her by text message. This read as follows: “Your code for payment is: XXX”. In addition, reference was made to an app with which such a confirmation could have been made even more easily. The amount of the payment and the service provider were not apparent from the text message. The credit card issuer explained that this had been the case at the time and had been changed in the meantime so that the amount and the service provider were now always visible together with the requested code.
The Ombudsman asked the credit card issuer to reconsider its position. In the Ombudsman’s view, this position presupposed a level of technical understanding on the part of the customer that was unlikely to exist among the general public. Moreover, the fact that the confirmation code had been sent without any information about the amount of the payment and the merchant had contributed significantly to the success of the fraud. The credit card issuer finally agreed to reimburse the customer CHF 800, i.e. slightly more than 50% of the loss, which the customer accepted.