For Ms. B. it’s about a lot of money. The civil chamber at the Munich II Regional Court met virtually to negotiate its claim for a refund of 20,117 euros against VR Bank Dachau. After a phishing attack on her account and the accounts of her husband and son, Mrs B. asked the bank to pay her back the amount she had lost – which the bank refused. So Ms. B complained. “I’m a little nervous,” you can hear her voice in the courtroom, where only the judge’s bench is occupied due to the corona.
With so-called phishing, Internet fraudsters try to steal access data from bank customers by luring customers to websites or asking them to make test or return transfers. It is almost impossible to find the perpetrators. The only option left is to sue the bank. They can be held liable if they have not informed about security risks. However, she is not to blame if customers behave “grossly negligently”. To the knowledge of the negotiating chamber, there have not yet been any public judgments in comparable cases in Germany.
In the case of the B. family, criminals had probably intercepted access data with the help of a computer virus. Then the plaintiff received a phishing email that said: “Welcome to the e-Tan procedure. Activate yourself at vr-bank.net”. A little later, she received a letter from the bank itself with access data, including a warning not to give out the code over the phone. However, there was no indication not to log on to a fake site. B. logged in with the real code on the wrong site. This allowed the perpetrators to easily withdraw amounts. They stole more than 12,000 euros from the 19-year-old son alone.
The judge said the woman could have been suspicious
Was Ms B’s behavior grossly negligent? According to Judge Thomas Böx, the chamber is “on the high seas” when making the assessment. It is about “casuistics”, i.e. individual case decisions. In the case of Ms. B., from the point of view of the court, this was due to an interplay of various carelessnesses. The phishing mail had several spelling mistakes and the customer should have been suspicious when she received two letters within a short period of time. Especially since the letters – placed side by side – would have shown clear deviations. Nevertheless, Ms. B. followed the procedure described for the phishing mail and logged on to vr-bank.net instead of to vr-bank.de as she had years before.
Judge Böx adds, however, that it is “anything but safe” that higher authorities cannot decide otherwise. He thinks it is possible that Ms. B. could take her complaint to the Federal Court of Justice. Böx proposes a settlement payment from the bank of 6,500 euros to the son’s account. So he would get back the rounded half of his loss. According to judge Böx, the young man was “really not to blame”.
A moral argument that the VR Bank lawyer rejects after consulting her client. Instead, she proposes a rather symbolic amount of 2000 euros. After another interruption, Ms. B.’s lawyer accepts the offer, visibly contrite, but asks for a period of one week to think it over. They wanted to first consult with the plaintiff’s son, who is currently at work.
Should Ms. B. revoke the offer, the regional court will finally decide on March 11th. It is certainly not an easy decision for Ms. B., considering that in addition to the loss of the phishing money, she also bears 90 percent of the legal costs.