Account of the case
The customer received an email message sent by criminals in the name of the tax authority, containing a link to a fake website created by the criminals and looking like the tax authority’s website, on which the customer then used her online banking credentials.
With the information acquired through the fake website, the criminals activated the bank’s mobile app installed on their own iPhone 7 device on 12 December 2023 at 14:38. In order to do this, it was necessary to enter the customer’s username, password, a one-time access code from the bank-issued access code list and the confirmation code that the bank sent to the customer in the following SMS message at 14:38:
“IMPORTANT! [The Bank’s Mobile App] is being activated on a new device with your [Bank] online banking credentials. BEWARE OF SCAMS! DO NOT GIVE THE CONFIRMATION CODE TO ANY PERSON OR WEBSITE. SCAM WEBSITES MAY LOOK LIKE [THE BANK’S] WEBSITE. The code is only used for activating [the Bank’s Mobile App]. If you are not activating [the Bank’s Mobile App] yourself, do not use the code, and delete this message. If you are activating [the Bank’s Mobile App] yourself, enter the confirmation code 1543 on [the Bank’s Mobile App] on your device.
If you suspect that you have entered your online banking credentials on a scam website, you should immediately call the deactivation service on 09 xxxx xxxx (local network charge/mobile call charge). Best regards, [the Bank].”
The aforementioned mobile app was used to make transfers between the accounts used by the customer, and between 12 December 2023 at 21:05 and 13 December 2023 at 00:11, 50 unauthorised bank transfers were made from the customer’s account to three different beneficiaries for the total amount of 23,136.17 euros.
The customer deactivated her online banking credentials on 13 December 2023 at 20:54.
Customer’s complaint
The customer demands a 19 558 € compensation since some funds of the funds were recovered.
Description of Events
The customer was reading her emails on her iPhone 2023-12-12 at 12.30. She noticed an email that appeared to be coming from Finnish tax authority "OmaVero"-service, indicating to her that she had some new important message. She proceeded to click on the button "Avaa Viesti", which opened in the mobile browser webpage that she thought to be the OmaVero sign-in page. She selected the sign-in with Bank credentials since she is a Bank customer, leading to a page looking just like the Bank login-page.
Customer tried to identify on the login-page with her bank credentials, but the login-page became stuck. Several such login-attempts got stuck as well. Subsequently the login website told the customer that the OmaVero-account has been locked and additional SMS-confirmation code is needed for the login and asked the customer to enter the code from Bank SMS-message, which the customer did.
After all attempts for the OmaVero-login failed, customer proceeded to try to log-in directly to the Bank mobile application. Several such login attempts to the Bank Mobile failed by getting stuck in a similar way as they were stuck in the fake OmaVero login-page. This seemingly confirmed and provided evidence for the hypothesis that the problem was in the bank identification backend-services. Bank says they have not found from their system data any explanation for these problems.
On 2023-12-13 at 12.30 the customer noticed that her account had been emptied and also her husband´s account (to which the customer has right to use) had been emptied. The customer promptly contacted bank customer service about the matter. Total of 23 146.17 € was stolen from three accounts.
Arguments for the customer diligence and lack of gross negligence
Diligence and carefulness must be always measured relative to the capabilities of the person in question. Experienced knowledgeable person with good language skills, high intelligence and expertise on the local culture and possible scam types can detect phishing attempts even when being minimally careful. But the customer is in much weaker position: she comes from foreign culture with different customs, she has very limited Finnish language skills and dyslexia and history of mild psychosis, she has no understanding of the kind of phishing scams criminals use nowadays and she has not been aware of any educational material about such scams or proper ways to avoid them. Persons like the customer can be more easily fooled by cleverly crafted scams even if they try to be careful and do in fact care for the protection of their property.
Bank had made no effort during the customer being a customer in educating her in any way about possibilities of online phishing attacks and effective protection measures. There were not messages about ongoing threats or effective protective measures sent to her by bank in any form, even less in the English language form she would have understood. As a person with little Finnish language skills, the customer has not been able to follow the general news and articles about the evolution of the various phishing-campaigns.
Being an immigrant, the customer wants to be extra diligent in her matters with Finnish officials, including the tax authority. This care about fulfilling her duty towards the Finnish government created in her the feeling of urgency in trying to get to read the message from tax-officials she thought she had been receiving, especially when the tax-year was closing to an end.
The customer was never attempting or willing to do any banking transactions and never tried to navigate to or log-in to the web-bank page. She was just trying to identify herself for the OmaVero-service. The customer was under the understandable and sensible assumption that attempts to log-in to OmaVero-service are distinct from attempts to login to web-bank or confirm bank transfers in the web-bank so that attempts in one could not be illegally used for the other.
The customer has not been educated by the Bank or otherwise about the safety measure of not going to online-banking by clicking a link or button in a received message. But even if the customer would be considered responsible for following such a rule, she never broke it since she was not clicking the button to go to online-banking but to OmaVero-service, which only through some steps lead to identification with bank-credentials.
The email on the customer email app Iooks legitimate. The sender is shown simply as "OmaVero" which Iooks legitimate, with the underlying email-address hidden and not easily visible. The button in the email does not show the URL of the target address, giving no reason for suspicion.
Bank makes the claim that they never send messages leading to webbank in emails. This is not true. Clicking on those Iinks sent by the bank proceeds to a page that has another link for proceeding to Bank online-bank login-page. This has a very similar structure to the OmaVero-scam where the link in the original message goes to the page of some other service first, but that page then includes navigation to bank-id based identification. The presence of such messages Ieads customers to the assumption that there can be legitimate messages with legitimate Iinks to services like OmaVero which Iead to legitimate bank-id identification processes.
The fake OmaVero page that opened from the fake Omavero messages button and the subsequent bank-id identification-pages were meticulously designed to look like the real pages. Particularly the URL of the page started with "https://omavero.fi...", which looks very legitimate on the mobile browser, which only shows the beginning part of the current page's URL.
The fake OmaVero login-page was telling that extra SMS-confirmation code will be needed for the OmaVero-login because she was using a mobile phone for the OmaVero-login (while she usually uses a desktop computer). There was a history of bank sending confirmation SMS-codes for various operations, hence there was routine for doing that and getting another SMS-confirmation code did not seem exceptional.
It was hence understandable and natural that the customer could mistake the finnish text "...ollaan ottamassa käyttöön [pankin mobiilisovellusta] uudessa laitteessa" to refer to the fact that she was using trying to Iog-in to OmaVero from a new mobile device instead of using her desktop-computer as usual and that she was confirming this action with the bank sent confirmation code. The capital-Ietter warning "VARO HUIJAUKSIA! ÄLÄ ANNA VAHVISTUSKOODIA..." the customer mistakenly but understandably reasoned to not apply to the current situation because she was thinking she is not "giving the code to someone" but just using it herself for the legitimate purpose of confirming mobile-device use for her OmaVero-login. If the Bank is sending a confirmation code in SMS, that implies that there must be a legitimate use of the code and customer was under the impression that she was in fact proceeding along that legitimate way.
The iPhone SMS-software uses algorithms to automatically analyze incoming SMS-messages, detecting confirmation codes and prompting the user to "Copy Code" with simple button press. This (a) hides part of the message text and (b) encourages even the diligent user like the customer to click on the "Copy Code" button which closes the message to allow its easy entry to any webpage.
The customer is also a user of the Bank´s Mobile App and has used it occasionally for identification. However, she was in the belief that there are some legitimate situations where MobileApp-identification cannot be used and using the much less secure paper password-lists is the only option. Hence she had the routine of mixed use of these two identification methods.
Several banks have been moving completely away from paper-based password-lists due to them being significantly less secure. With paper-based password-lists criminals can use a stolen password intended by a customer for one purpose for a completely different purpose like logging in to the web-bank whereas with Mobile-identification the purpose of the action to confirm is always explicitly visible to the user. Bank has made no attempts or education or encouragement towards the customer to make her understand that the more secure MobileApp-identification can always be used instead of the paper password-lists and to encourage her to move to use MobileApp-identification only. This scam would have failed at an early stage if the customer would only use MobileApp-identification.
Given the context and background, it was easy to get fooled by the scammers to enter the code from a Bank SMS-confirmation message. She understandably and naturally thought it was related to her OmaVero Iogin-process because.
The bank has not provided any explanation of why the bank login was failing for the customer in this way which was leading to the customer drawing the wrong conclusion about the reason for the problem. If the reason for the failure was somehow the ongoing criminal activity, then it would have been critical for the bank´s MobileApp (instead of getting just stuck) to give a clear error-message like "You cannot log-in currently since your Mobile Bank is being used by another Mobile device" which would have surely lead to further investigation and avoiding the damage. On the other hand, if the bank´s mobile login would have succeeded, customer´s hypothesis about the problem in bank services would have been disproven in her mind and she would have continued her investigation of other possibilities and would have surely discovered the nature of the phishing scam. The criminal transactions emptying the accounts happened only late at night on 2023-12-12 so determining the nature of the scam at that time would have been sufficient to prevent all illegal transfers.
Bank failed to pause combination of operations that was massively suspect. Banks have the habit of putting suspicious transactions to pause and requiring additional explanations with customer-service chat to pass them through. In the case of the criminal transfers, any single aspect of it seems highly suspect and clearly should have been subject to blocking for additional explanations. The transfer of 16 900 € from the husband´s account to the customer´s account should be considered highly suspect since there has been no intemal transfers between the accounts whatsoever and the sum completely emptied the account. The subsequent transfers of 22 000 € from the customer´s accounts to three foreign accounts during a short time-period should be considered highly suspect since they completely empty the accounts and make multiple small payments without any messages. But the most suspect of all should have been the combination of these two suspect events immediately after adding a new mobile-device to the web-bank identification device.
Conclusion
Based on all of the above, the customer has been at most negligent, but not grossly negligent, in her attempts to identify herself to OmaVero-service. The customer´s intent was never to do any bank- or money-related operations. She made several mistakes based on a series of misunderstandings, false assumptions and the cunning illusions of legitimate login-process created by expert criminals. Such misunderstandings and consequent mistakes are understandable to a person in her situation, with her background and her context even when she was willing to be careful and diligent. Therefore the customer should only be responsible for 50€ for regular negligence and the Bank should be considered responsible for the rest of the illegal transfers.
Bank´s reply
According to Customer she received an email from "Finnish tax authority' "Omavero" indicating to her that she had some new important message. The email included a link (Push button) to a third-party website asking to submit the customer's username, password, a one-time password from the bank-issued password list and a confirmation code for the Bank´s mobile. After receiving the message, the customer clicked on the link and proceeded to the website and entered the required credentials on the website.
To download and install the Bank´s mobile application on a new device, a user needs to have the customer's personal online banking username, password, access code table and a confirmation code via SMS. According to electronic records, the customer used an iPhone 11. The bank's electronic records indicate that the Bank´s mobile application was activated on an iPhone 7 - Apple iPhone9,3 12.12.2023 clock 14:38.
According to bank's records it has sent a confirmation code that was used to authorize the installation of the Bank´s Mobile application on a new mobile device via SMS to the customer's mobile phone number clock 14:38.
The content of the message informing about downloading the Bank´s Mobile application sent by the bank clearly states that the confirmation code is related to downloading the Bank´s Mobile application and that the code should not be entered anywhere else but the Bank´s mobile application. However, the customer has entered the confirmation code on a phishing website contrary to the explicit prohibition in the message. If the customer had contacted the Bank upon receiving the message to ensure the Iegitimacy of the communication, the damage would have been completely avoided. If the customer had understood the content of the message, she should have understood that the confirmation code should not be entered on a phishing website.
Customer has closed her online banking ID on 13.12.2023 at 20:54 pm. The claimed transactions have been made before closure of the payment credentials.
The bank has checked it´s system data and there is no sight of any problems in customer´s mobileapp. Sometimes bad internet connection can cause this kind of problems. Only one authentication can be done at the same time, but it is possible to use Bank´s mobile app in the two phones simultaneously.
The customer claims that she is unable to follow the finnish-language general news about phishing warnings and the bank failed to provide any effective communication of the evolving phishing threats that would have reached her.
According to the bank's terms and conditions:
The agreement is made in Finnish or Swedish. You can use our services in Finnish or Swedish. If you wish to use a language other than Finnish or Swedish, you shall be liable for the costs of acquiring and using the interpretation services that you may need.
Therefore, it is the customer's legal responsibility to make sure, that she understands all the messages, that the bank may send to her. In this case, despite the language barrier she invoked, and also due to the language barrier, the customer should have suspended her transaction, because she could not be sure of the purpose of the code she received from the bank via text message. If the customer does not understand or can be sure for what the code sent by the bank via text message is intended for, she should have contacted bank to make sure of the purpose and appropriateness of the procedure. The customer's statement indicates that the customer may not have understood the message sent by the bank. Additionally, the customer should read the terms attached to their banking agreement.
Bank doesn't send any links to Bank´s login page. Pursuant to Bank's digital services terms and conditions:
You may not in any circumstances divulge your online banking credentials or confirmation code, sent by us in an SMS, verbally by answering to a phone call, email or similar message asking such details.
You may not use your online banking credentials to log in to online banking services, authenticate your identity or handle other banking business, if the link to the login page was sent to you by email or other electronic means.
Therefore, Customer was also provided with prior information about the possibility of fraud messages and the protocol related to using the online banking credentials.
The bank considers that the customer's actions constitute grossly negligent conduct in accordance with the Finnish Payment Services Act Section 62. This follows from the fact that the customer has provided the credentials to a third party. Bank's SMS for authorizing the installation of the bank´s mobile application states that the code should not be given to any third-party applications or websites, and according to the SMS, the customer should take contact with the Bank in the event whereby the customer is not installing a new instance of the bank´s mobile to a mobile phone. The customer disregarded the instructions provided by the bank.
Therefore, the bank is not liable for reimbursing the amounts claimed by the customer.
Reports
In addition to the communications between the parties, the Banking Complaints Board was provided with the following documents:
- General terms and conditions of the banking codes and online services
- Card terms and conditions
Recommended solution
Formulation of question
In order to resolve the division of responsibilities between the customer and the bank, the Banking Complaints Board will have to assess whether the unauthorised use of the payment instrument can be attributed to the customer having, through carelessness, neglected his obligations under Section 53(1) of the Act and the terms and conditions governing online bank, as well as assessing the degree of any carelessness on the customer’s part.
The applicable norms of law and policy terms
The provisions applicable in the case are Sections 9, 38, 53, 54, 62 and 63 of the Payment Services Act. In addition to the Payment Services Act, the bank’s general terms and conditions of the banking codes and online services are applicable.
Evaluation of the case
The course of events
The Bank has presented a report on the events and on the information the criminals must have possessed in order to activate on their own device another mobile app of the Bank under the customer’s name, which they used to confirm the contested transactions. The Banking Complaints Board has no reason to doubt the veracity of the report presented by the bank.
In the case, the Banking Complaints Board considers it established and uncontested that the customer received an email message under the name of the tax authority, containing a link to a fake website created by criminals, on which the customer entered her online banking credentials while under the impression that she was interacting with her bank. Having acquired the customer’s online banking credentials in this way, the criminals started activating the bank’s mobile application in the customer’s name with their own iPhone 7 device. Because of this, the bank sent the customer an SMS message on 12 December 2022 at 14:38, containing the required confirmation code for activating the mobile app. The contents of the SMS were as follows:
“IMPORTANT! [The Bank’s Mobile App] is being activated on a new device with your [Bank] online banking credentials. BEWARE OF SCAMS! DO NOT GIVE THE CONFIRMATION CODE TO ANY PERSON OR WEBSITE. SCAM WEBSITES MAY LOOK LIKE [THE BANK’S] WEBSITE. The code is only used for activating [the Bank’s Mobile App]. If you are not activating [the Bank’s Mobile App] yourself, do not use the code, and delete this message. If you are activating [the Bank’s Mobile App] yourself, enter the confirmation code 1543 on [the Bank’s Mobile App] on your device.
If you suspect that you have entered your online banking credentials on a scam website, you should immediately call the deactivation service on 09 xxxx xxxx (local network charge/mobile call charge). Best regards, [the Bank].”
The Banking Complaints Board considers it established and uncontested in the case that the customer also entered the code she received in the SMS on the website accessed through the aforementioned link. Once the criminals received the code, they were able to activate the bank’s mobile app in the customer’s name on their own device. The unauthorised payment transactions in question were made by the criminals, who confirmed them with the aforementioned mobile app of the bank.
Assessment of the customer’s actions
The terms of the online banking credentials explicitly prohibit the use of online banking credentials for logging in to the bank’s website, for authenticating one’s identity or for handling other banking business if the link to the login page was sent by email or other electronic means.
The Banking Complaints Board considers that the customer has neglected her duties under the terms of the online banking credentials by using her credentials on the website accessed through the link in the email message.
However, the Banking Complaints Board draws attention to the fact that, based on the screenshot the customer took of her phone screen, the email message sent by the criminals looks like it had come from the tax authority and seems authentic. The Board thus considers that, on the basis of the reports received on the case, the customer cannot be deemed to have had a reason to doubt the legitimacy of the communication arriving in the name of the tax authority.
The Banking Complaints Board here draws attention to the fact that many different operators, from delivery services to healthcare services and grocery stores – including operators within the same group with a bank – as well as the authorities, nowadays send their customers messages concerning their relationship and containing links, which has made communications of this kind quite common and may have contributed to the fact that even a diligent internet user may not think to question the appropriateness of an email message arriving in the name of the tax authority and a link in that message.
Noting also the fact that in this case, the link in the email message led to a website looking like the tax authority’s website and so the customer had the impression she was dealing with the tax authority and used her online banking credentials for this purpose and in order to authenticate her identity for the tax authority’s e-service, the Banking Complaints Board finds that the customer’s failure to follow the terms of the online banking credentials only shows slight negligence as far as the abovementioned elements are concerned.
However, the Banking Complaints Board considers that when the customer received the SMS message containing the activation code for the Bank’s mobile app in a different situation from the normal authentication situation, she should – especially in light of the contents of the SMS message – have known to question the legitimacy and intention of the communication she received and, in accordance with the instructions in the SMS message, should not have entered the activation code she had received in the corresponding column on the website. If the customer had contacted the bank herself at that point, for example, as recommended in the SMS, and asked whether the action was legitimate, the damage caused by the unauthorised use of the customer’s online banking credentials in the case could have been avoided.
The Banking Complaints Board considers that the aforementioned SMS message sent to the customer by the bank correctly explains what the confirmation code is used for and where it should be entered, warns in capital letters against scams and against entering the code on any website, and tells the customer to contact the deactivation service if he/she thinks he/she has entered the credentials on a scam website. In this regard, the customer has pleaded poor command of Finnish and the fact that she understood the contents of the SMS message to refer to the fact that she was logging in to the OmaVero e-service using a new mobile device.
In its resolution practice, the Banking Complaints Board has held that the basic diligence required of the holder of online banking credentials includes the requirement that when the customer uses the online banking credentials, he/she reads the messages received from the bank in the course of his/her actions and acts accordingly. On the other hand, the Board considers it the bank’s responsibility to ensure that the messages it sends to its customers are comprehensible, so that a diligent holder of online banking credentials, for example, would not remain in doubt about the purpose of the code received in the bank’s SMS message. If the customer, however, does not understand the language that is used by mutual agreement in his/her interactions with the bank, the Board considers it his/her responsibility as a diligent customer to verify what the bank is communicating to him/her in the course of an interaction requiring the use of online banking credentials. In the last resort, if a language barrier prevents the customer from understanding or being certain about the purpose of e.g. a code sent by the bank in an SMS message, the Board considers that a customer acting with due care should interrupt his/her actions and, for example, contact the bank in order to verify the purpose and legitimacy of the action.
Given the above, the Board considers that in this case, despite the language barrier pleaded by the customer, and also because of it, she should have known to interrupt her actions because she was not able to verify the purpose of the code she received in the SMS message from the bank.
On the basis of the reports received in the case and especially with regard to the contents of the bank’s SMS message containing the confirmation code required for activating the bank’s mobile app, the Banking Complaints Board considers that the customer’s actions show a clearly negligent attitude towards the security risks related to the control and use of her online banking credentials – which also serve as a payment instrument – and differ clearly and essentially from the diligent action that is required of a holder of online banking credentials. The Banking Complaints Board thus finds that the customer’s actions are evidence of gross negligence in the meaning of the Payment Services Act and that in the relationship between the customer and the bank, the customer is thus fully responsible for the damage that was caused by the unauthorised use of the online banking credentials.
The bank’s duty to prevent payment transactions
The customer has, in addition, pleaded the fact that the bank should have prevented transfers of a highly exceptional nature.
The Banking Complaints Board notes that under the payment services regulations, banks must have at their disposal payment transaction control mechanisms allowing them to detect unauthorised and fraudulent payment transactions. However, this duty does not have a direct effect upon the division of responsibility between the bank and the customer regarding the unauthorised use of a payment instrument. The Banking Complaints Board thus considers that the bank is not obliged to compensate the customer for the resulting damage on the grounds that the bank did not prevent the unauthorised payments in question.
Final outcome
The Banking Complaints Board’s does not recommend compensation.
The Board’s decision was unanimous.
BANKING COMPLAINTS BOARD
Chairman Sillanpää
Secretary Hidén
Members
Atrila
Piilo
Punakivi
Tervonen